[BreachExchange] Nigerian airline Arik Air may have leaked customer data

Thu Nov 1 09:06:25 EDT 2018

https://www.zdnet.com/article/nigerian-airline-arik-air-may-have-leaked-customer-data/

An exposed Amazon S3 bucket was reportedly the source of leaked
customer data belonging to carrier Arik Air.

According to research published by Justin Paine, Head of Trust &
Safety at Cloudflare, the security expert's regular scanning for open
and vulnerable Amazon S3 buckets resulted in the discovery of one
containing a large number of CSV files.

As in the recent cases of Alteryx, GoDaddy, and Pocket iNet, leaky
buckets are not uncommon, and a simple misconfiguration error in such
systems can result in the public exposure of caches of valuable,
sensitive data online.

This is reportedly the case with Arik Air, which Paine says either
leaked their own data, or the vulnerable bucket was the fault of one
of the carrier's payment processors.

Based in Lagos, Arik Air describes itself as "West-Africa's leading
airline offering domestic, regional and international flights."

The leaky bucket was discovered on September 6. In total, the
researcher found 994 CSV files, some of which contained "in excess of
80,000+ rows of data while other files contain 46,000+ rows of data,
and in some cases, files only contain 3 rows of data," according to
the researcher.

After a thorough review, it was found that some of the data points
leaked included customer names, email addresses, IPs registered at the
time of purchases, and the hashes of credit cards used.

In addition, the researcher says data was stored in the bucket which
"appears to be last four digits of the credit card used" and what may
be "the first six digits of the credit card used."

Dates of sale, payment values, types of currency used, device
fingerprints -- which may relate to the use of mobile devices or
desktop systems -- and in some cases, the departing and arriving
airports all appear to be in the data dump.

A point of note is the inclusion of business names related to
purchases made to Arik Air.

"It's not entirely clear who the owner of this data is as Arik Air
didn't reply with any further clarification or details," the
researcher says. "That being said, it certainly seems likely to be a
bucket controlled by Arik Air, or one of their immediate
partners/processors. The fact that all of these purchases have an
"acctparentbusinessname" value leads me to believe this could be a
payment processor specific to businesses and/or travel agents."

It appears that the data spans between 2017-12-31 and 2018-03-16,
which is roughly three and a half months' worth of information.

The researcher attempted to contact the airline, meeting with failure
over social media, LinkedIn, and email. After multiple attempts, Paine
eventually received a reply over Facebook, in which Arik Air's
security team said they would review the report.

It was over a month after the initial disclosure before the bucket was
secured, on October 10. It is not known if any data was fraudulently
accessed before the problem was resolved.

Update 11.01 GMT: An Arik Air spokesperson told ZDNet:

"Our attention has been drawn to a reported exposure/vulnerability of
customer data on Amazon S3 bucket. We can confirm that we do not use
Amazon S3 for our hosting services.

Our online platforms are up and running and not under attack. Arik Air
takes IT security and protection of customer data seriously.

We are reviewing all our systems including interface[s] with
third-party processors to eliminate vulnerabilities.We would like to
assure our customers of the safety of our online sales platforms."