A Bengaluru techie’s quest for a passenger he accidentally swapped his airport bag with has raised concerns about the cybersecurity of the airline he was flying with. The airline has since apologised to him for the inconvenience caused but assured its IT processes are robust and at no point was the website compromised.
However, Nandan Kumar and Raj Shekhar, the passengers who walked away with the wrong bags that night at Kempegowda International Airport in Bengaluru, but met the next day because of a tech intervention, believe the airline needs to up its data privacy architecture.
Nandan works as a software developer and Raj is a network engineer in the city. Meanwhile, Indigo, the airline, has said it will review Nandan’s feedback.
On March 27, Nandan and Raj were flying from Patna to Bengaluru. When Nandan and his wife reached the luggage retrieval area, a few bags were left to be picked up.
They got theirs, one black and one blue. As they were getting into their apartment in Whitefield, his wife spotted a lock on the black luggage, which neither of them had put.
They had picked the wrong bag, the luggage tag confirmed.
“It was past 11.30 pm. I called up the airline via their IVR (Interactive voice response) system. I got through to them in two-three attempts. They called up the passenger I had swapped the bag with but he didn’t pick up their call. They said they will inform as soon as the passenger returns their call. I asked them if they could share the passenger’s contact so I could try calling him. They cited data privacy issues and I accepted that,” Nandan recalls the incident to Metrolife.
“I was worried what if the passenger left for Mysuru or went out of the country before I could connect. I did not hear back from the airlines till 4 am and went to sleep,” he adds. He did not get a call back from customer care till 11 am. That’s when the 28-year-old decided “to take matters into his hand”.
Using the PNR number and last name of his co-passenger that were printed on the luggage tag, and his “developer skills”, he was able to retrieve Raj’s contact number from “the browser network response on the airline’s website” in 10-15 minutes and also see addresses, he claims. He called up Raj, a resident of Sarjapur Road, only to learn the latter did not know his bag had been exchanged. They met that afternoon to hand over each other’s bags.
“My first question to Nandan was how he tracked my number. He explained the process and I went back and tried it. I realised any Class 12 student with some knowledge of how browsers and (website) backend work can do this. It is a cakewalk. I don’t know how the airline is backing its statement that it is not a flaw (in their systems),” Raj, 33, tells Metrolife.
He added, “It is true that not everything is encrypted or secure but exposing customer information on the browser this way is a flaw. They should use better encryption,” he adds.
That evening, Nandan tweeted about his “low-key hacker moment” and pointed out the “technical vulnerability” in the airline’s system, which shot up his followers from 180 to over 2,000 in no time.
Nandan clarifies that he did not hack into the system, bypass the security architecture, that is. He used “presence of mind” to solve his problem. Cybersecurity consultant Aroonav Das from Bengaluru says, “It is not hacking in the classical sense of the term because the system has not been compromised. Neither did he use it for personal gains. But it highlights that the controls (to bar access to the personal information of customers) on the browser did not exist. It is a privacy issue.”
In its official statement, the airline said any passenger can retrieve their booking details using PNR, last name, contact number, or email address from the website. This is the norm practised across all airline systems globally.
Apar Gupta, executive director of the Internet Freedom Foundation, shares his concern: “It points to a larger absence of legal obligation on the part of companies to inform people they hold the data of in case there is a data breach or a vulnerability discovered. Such disputes often occur and companies issue denials as they have done in the past.”
The way forward, say Aroonav and Apar, is for the airlines to fix the vulnerabilities and add a layer of identity authentication (such as OTP). “Do not post photos of the boarding pass, which may reveal your PNR details,” adds Aroonav.
How to report a cyber vulnerability
While it is a well-accepted practice to tag companies on Twitter when making the issue of cyber vulnerabilities public, expert Aroonav Das says the complainants should ideally first check if the companies have a reporting mechanism or bug bounty programme on their website and communicate to them beforehand. While putting out publicly, do not disclose the exact nature of the vulnerability, he cautions.