[BreachExchange] Flight booking site Option Way exposed personal info on customers

Destry Winant destry at riskbasedsecurity.com
Mon Sep 9 09:13:44 EDT 2019


A data breach at flight booking site Option Way exposed personal
details on passengers and their flight and travel plans.

Researchers at vpnMentor led by Noam Rotem and Ran Locar were “able to
access over 100 GB of data, a massive amount of customers’ unencrypted
Personally Identifiable Information (PII),” including names, birth
dates, gender email addresses, destinations, flight prices and flight
departure and return dates.

User emails were accessible through “‘incorrect password’ reset
links,” which exposed exposed the wide database to potential hacks,
and Option Way users to a lot of potential fraud,” the researchers
wrote in a blog post.

“During our investigation, we also found the company’s credit card
details unmasked and viewable to anybody with access to the database,”
the researchers said, referring to the breach as a “goldmine for
identity thieves and other attackers.”

“Companies need to be aware that their digital surface can also be
leveraged by attackers seeking a way to obtain personal info or a
springboard into the company,” said Elad Shapira, head of research of
Panorays. “This is what is called the company’s “attack surface” and
it includes outdated technologies such as open ports that provide Web
services into/from the internal company servers, misconfigured and not
hardened servers, open and exposed AWS S3 buckets, and even
inadvertently exposed internal sites due to server misconfiguration.”

Shapira said companies should “evaluate their attack surface and
continuously monitor it for any changes that may pinpoint a threat,”
including evaluating third parties. “In today’s digital world,
companies outsource their data storage, processing and analysis to
other services, such as was the case here with Option Way,” he said.
“Companies had provided Option Way their sensitive and confidential
employee and customer details.”

More information about the BreachExchange mailing list