We are Digital Passion

Nigerian airline Arik Air may have leaked customer data






An exposed Amazon S3 bucket was reportedly the source of leaked customer data belonging to carrier Arik Air.

According to research published by Justin Paine, Head of Trust & Safety at Cloudflare, the security expert’s regular scanning for open and vulnerable Amazon S3 buckets resulted in the discovery of one containing a large number of CSV files.

As in the recent cases of AlteryxGoDaddy, and Pocket iNet, leaky buckets are not uncommon, and a simple misconfiguration error in such systems can result in the public exposure of caches of valuable, sensitive data online.

This is reportedly the case with Arik Air, which Paine says either leaked their own data, or the vulnerable bucket was the fault of one of the carrier’s payments processors.

Based in Lagos, Arik Air describes itself as “West-Africa’s leading airline offering domestic, regional and international flights.”

The leaky bucket was discovered on September 6. In total, the researcher found 994 CSV files, some of which contained “in excess of 80,000+ rows of data while other files contain 46,000+ rows of data, and in some cases, files only contain 3 rows of data,” according to the researcher.

In addition, the researcher says data was stored in the bucket which “appears to be last four digits of the credit card used” and what may be “the first six digits of the credit card used.”

Dates of sale, payment values, types of currency used, device fingerprints — which may relate to the use of mobile devices or desktop systems — and in some cases, the departing and arriving airports all appear to be in the data dump.

A point of note is the inclusion of business names related to purchases made to Arik Air.

“It’s not entirely clear who the owner of this data is as Arik Air didn’t reply with any further clarification or details,” the researcher says. “That being said, it certainly seems likely to be a bucket controlled by Arik Air, or one of their immediate partners/processors. The fact that all of these purchases have an “acctparentbusinessname” value leads me to believe this could be a payment processor specific to businesses and/or travel agents.”

It appears that the data spans between 2017-12-31 and 2018-03-16, which is roughly three and a half months’ worth of information.

The researcher attempted to contact the airline, meeting with failure over social media, LinkedIn, and email. After multiple attempts, Paine eventually received a reply over Facebook, in which Arik Air’s security team said they would review the report.

It was over a month after the initial disclosure before the bucket was secured, on October 10. It is not known if any data was fraudulently accessed before the problem was resolved.




Comments to Nigerian airline Arik Air may have leaked customer data

  • Just wish to say your article is as amazing. The clearness in your put up is simply nice and i can think you are an expert in this subject. Well with your permission allow me to seize your feed to keep up to date with approaching post. Thank you one million and please continue the rewarding work.

    downloadsex January 26, 2019 11:37 pm
  • Thanks for your personal marvelous posting! I truly enjoyed reading it, you might be a great author.I will be sure to bookmark your blog and may come back from now on. I want to encourage you to ultimately continue your great writing, have a nice morning!

    downloadsex January 27, 2019 10:20 pm
  • Hello my brother, it is an article of the highest interest and I am a visitor interested in these topics and now you are facing a group you should watch

    موفيز بورن February 2, 2019 2:35 am

Leave a Comment