Millions of customers flying Nigeria’s foremost airline, Arik Air, may have had their data leaked as details emerged on Wednesday that the airline’s data were found in exposed and vulnerable Amazon S3 buckets.
According to Justin Paine, Head of Trust & Safety at Cloudflare, there is a bucket containing a large number of CSV files reportedly containing the Arik airline’s customers’ data.
It is unclear what triggered the development but analysts say leaky buckets are not uncommon, and they could be caused by a simple misconfiguration error system. It however can result in the public exposure of caches of valuable, sensitive data online.
According to Mr Paine, the leaky bucket was discovered on September 6 and in total, he found 994 CSV files, some of which contained “in excess of 80,000+ rows of data while other files contain 46,000+ rows of data, and in some cases, files only contain 3 rows of data.”
The safety expert’s review showed that some of the data points leaked included customer names, email addresses, IPs registered at the time of purchases, and the hashes of credit cards used. In addition, he said, data was stored in the bucket which “appears to be last four digits of the credit card used” and what may be “the first six digits of the credit card used.”
The data dump also contains dates of sale, payment values, types of currency used, device fingerprints and the departing and arriving airports, he said. Also sensitive in the discovery is the inclusion of business names related to purchases made to Arik Air.
Mr Paine said it’s not entirely clear who the owner of the data is as Arik Air did not reply with any further clarification or details.
“That being said, it certainly seems likely to be a bucket controlled by Arik Air, or one of their immediate partners/processors. The fact that all of these purchases have an “acctparentbusinessname” value leads me to believe this could be a payment processor specific to businesses and/or travel agents,” he added.
Mr Paine said he attempted to contact the airline unsuccessfully over social media, LinkedIn, and email. But after multiple attempts, he eventually received a reply over Facebook, in which Arik Air’s security team said they would look into the report.
He, however, said that it was over a month after the initial disclosure before the bucket was secured on October 10 and it is not clear if any data was fraudulently accessed before the problem was resolved.
He added further that the data spans between December 2017 and March 2018, which is roughly three and a half months’ worth of information.
Two staff of Arik Air customer service department who spoke to PREMIUM TIMES Wednesday morning said they would get back on the airline’s response. The first, who identified herself simply as Florence, said the concern is being channelled to the appropriate quarters for review. By noon Wednesday, this newspaper had gotten no explanation from the airline.
Mr Paine, who tweets via the handle @xxdesmus on Twitter, feared that a malicious person could potentially use this sensitive information to then target one of the customers of Arik Air for identify theft.
“With the information included in this leak, a fraudster would have plenty of useful data points — the person’s name, email, first 6 and last 4 of the credit card, and a hint as to what the person’s 2FA values might be so they could then focus on compromising that 2FA account (email or phone number) to take steal the user’s identify,” he explained.
An Amazon S3 bucket is a public cloud storage resource available in Amazon Web Services’ (AWS) Simple Storage Service (S3). The S3, simply, is an object storage offering. The buckets, which are similar to file folders, store objects, which consist of data and its descriptive metadata. It is often used by companies, airlines and other conglomerates handling data.