Tickets, passports, credit cards — what else can travel companies reveal about their customers?
A major travel company, Mondee, recently closed access to a database that was previously accidentally made publicly available and contained confidential customer information, including details about airline tickets, hotel reservations, and unencrypted credit card numbers.
The vulnerability became known thanks to Anurag Sen, an independent researcher in the field of cybersecurity, who discovered this database and shared information about it with TechCrunch.
According to Sen, access to the database hosted in the Oracle cloud did not require entering a password, which allowed you to access confidential data through a web browser, knowing only the desired IP address. And as it turned out later, the database could also be found through an easily guessed subdomain of the site of one of the Mondee divisions.
Most of the data appeared to relate to Mondee's subsidiary, TripPro, which provides online flight and hotel booking services to tens of thousands of travel agents and travel startups.
The 1.7-terabyte database contained customers ' personal information, including names, gender, dates of birth, home addresses, air travel data, and passport numbers. It also contained detailed booking information, up to full passenger PNR data. In addition, the database also stored the full credit card numbers of customers and their expiration dates without any encryption.
TechCrunch representatives contacted some of the individuals affected by the leak and they confirmed that the leaked data is true.
The first mention of the availability of the database on the Internet refers to the end of July 2023, according to the search engine Shodan. Exactly how the database was made publicly available is unknown. Most often, such leaks occur due to errors in the settings made due to inattention.
Representatives of the company Mondee did not comment on this cyber incident and did not provide any explanations. However, shortly after the companies pointed out its error, access to the database was closed.
Unfortunately, it is not yet clear whether anyone other than Anurag Sen was able to gain access to the database during the period when it was opened, or whether the attackers managed to take advantage of this convenient chance.
Mondee has not yet said whether it plans to inform affected customers about this data leak. And whether it will provide any mitigation measures such as credit history monitoring, if malicious influence on customer data is still detected.
A major travel company, Mondee, recently closed access to a database that was previously accidentally made publicly available and contained confidential customer information, including details about airline tickets, hotel reservations, and unencrypted credit card numbers.
The vulnerability became known thanks to Anurag Sen, an independent researcher in the field of cybersecurity, who discovered this database and shared information about it with TechCrunch.
According to Sen, access to the database hosted in the Oracle cloud did not require entering a password, which allowed you to access confidential data through a web browser, knowing only the desired IP address. And as it turned out later, the database could also be found through an easily guessed subdomain of the site of one of the Mondee divisions.
Most of the data appeared to relate to Mondee's subsidiary, TripPro, which provides online flight and hotel booking services to tens of thousands of travel agents and travel startups.
The 1.7-terabyte database contained customers ' personal information, including names, gender, dates of birth, home addresses, air travel data, and passport numbers. It also contained detailed booking information, up to full passenger PNR data. In addition, the database also stored the full credit card numbers of customers and their expiration dates without any encryption.
TechCrunch representatives contacted some of the individuals affected by the leak and they confirmed that the leaked data is true.
The first mention of the availability of the database on the Internet refers to the end of July 2023, according to the search engine Shodan. Exactly how the database was made publicly available is unknown. Most often, such leaks occur due to errors in the settings made due to inattention.
Representatives of the company Mondee did not comment on this cyber incident and did not provide any explanations. However, shortly after the companies pointed out its error, access to the database was closed.
Unfortunately, it is not yet clear whether anyone other than Anurag Sen was able to gain access to the database during the period when it was opened, or whether the attackers managed to take advantage of this convenient chance.
Mondee has not yet said whether it plans to inform affected customers about this data leak. And whether it will provide any mitigation measures such as credit history monitoring, if malicious influence on customer data is still detected.
