An exposed Amazon S3 bucket was reportedly the source of leaked customer data belonging to carrier Arik Air.
According to research published by Justin Paine, Head of Trust & Safety at Cloudflare, the security expert’s regular scanning for open and vulnerable Amazon S3 buckets resulted in the discovery of one containing a large number of CSV files.
As in the recent cases of Alteryx, GoDaddy, and Pocket iNet, leaky buckets are not uncommon, and a simple misconfiguration error in such systems can result in the public exposure of caches of valuable, sensitive data online.
This is reportedly the case with Arik Air, which Paine says either leaked their own data, or the vulnerable bucket was the fault of one of the carrier’s payments processors.
Based in Lagos, Arik Air describes itself as “West-Africa’s leading airline offering domestic, regional and international flights.”
The leaky bucket was discovered on September 6. In total, the researcher found 994 CSV files, some of which contained “in excess of 80,000+ rows of data while other files contain 46,000+ rows of data, and in some cases, files only contain 3 rows of data,” according to the researcher.
In addition, the researcher says data was stored in the bucket which “appears to be last four digits of the credit card used” and what may be “the first six digits of the credit card used.”
Dates of sale, payment values, types of currency used, device fingerprints — which may relate to the use of mobile devices or desktop systems — and in some cases, the departing and arriving airports all appear to be in the data dump.
A point of note is the inclusion of business names related to purchases made to Arik Air.
“It’s not entirely clear who the owner of this data is as Arik Air didn’t reply with any further clarification or details,” the researcher says. “That being said, it certainly seems likely to be a bucket controlled by Arik Air, or one of their immediate partners/processors. The fact that all of these purchases have an “acctparentbusinessname” value leads me to believe this could be a payment processor specific to businesses and/or travel agents.”
It appears that the data spans between 2017-12-31 and 2018-03-16, which is roughly three and a half months’ worth of information.
The researcher attempted to contact the airline, meeting with failure over social media, LinkedIn, and email. After multiple attempts, Paine eventually received a reply over Facebook, in which Arik Air’s security team said they would review the report.
It was over a month after the initial disclosure before the bucket was secured, on October 10. It is not known if any data was fraudulently accessed before the problem was resolved.