A data breach at flight booking site Option Way exposed personal details on passengers and their flight and travel plans.
Researchers at vpnMentor led by Noam Rotem and Ran Locar were “able to access over 100 GB of data, a massive amount of customers’ unencrypted Personally Identifiable Information (PII),” including names, birth dates, gender email addresses, destinations, flight prices and flight departure and return dates.
User emails were accessible through “‘incorrect password’ reset links,” which exposed exposed the wide database to potential hacks, and Option Way users to a lot of potential fraud,” the researchers wrote in a blog post.
“During our investigation, we also found the company’s credit card details unmasked and viewable to anybody with access to the database,” the researchers said, referring to the breach as a “goldmine for identity thieves and other attackers.”
“Companies need to be aware that their digital surface can also be leveraged by attackers seeking a way to obtain personal info or a springboard into the company,” said Elad Shapira, head of research of Panorays. “This is what is called the company’s “attack surface” and it includes outdated technologies such as open ports that provide Web services into/from the internal company servers, misconfigured and not hardened servers, open and exposed AWS S3 buckets, and even inadvertently exposed internal sites due to server misconfiguration.”
Shapira said companies should “evaluate their attack surface and continuously monitor it for any changes that may pinpoint a threat,” including evaluating third parties. “In today’s digital world, companies outsource their data storage, processing and analysis to other services, such as was the case here with Option Way,” he said. “Companies had provided Option Way their sensitive and confidential employee and customer details.”