Yes, Arik Air was hacked. On Tuesday, the 30th of October 2018, twitter went crazy. What happened: a cyber security expert Justin Payne made a public disclosure that shook a lot of African organizations. No, not just african organizations but industry experts.
It has left a lot of discussions on the minds of people. Some blaming Arik Air for not responding swiftly. Others of the opinion that it was of no risk.
In Africa there’s been quite a number of breaches over recent years. From the breach in South Africa and now a data leak in Nigeria. African Cyber security professionals and experts from various cities can’t stop emphasizing how much African companies ought to start taking vulnerability disclosures seriously and act on them as fast as possible.
But, really. Where does this leave organizations. African or global organizations. What can they learn from this leak? But first, how did Arik get its data leaked.
How did Arik Air data get leaked?
On the 6th of september, Justin Payne began his scan for vulnerable amazon s3 buckets. Paine, who is the head of trust and safety at Cloudflare, said his attempt to alert the company to the exposed data was not acknowledged until September 24. So on the 30th, Justine went on to disclose his findings on twitter
Interestingly, Justin found that arikair.com was vulnerable to s3 bucket leakage. Also sitting there, were loads of sensitive personal information (names, email addresses, card details, etc)
In Justin’s words …
“In the normal course of scanning for open/exposed/vulnerable Amazon S3 buckets I discovered a bucket containing a large number of CSV files. This is not all that odd. What made this bucket particularly interesting was that following a brief investigation it became immediately apparent the bucket appeared to be owned by an airline or a payment processor for an airline. After a thorough review of the files, I concluded these sensitive files were very likely owned by Arik Air.
I had not heard of Arik Air, but they describe themselves as “West-Africa’s leading airline” source. Arik Air has had a number of financial troubles which most recently lead to the Nigerian government needing to takeover of the airline to prevent it going bankrupt. Long story short — this seemed like a potentially important find.
After concluding the CSV files were very likely owned by Arik Air (or their payment processor) I immediately attempted to make contact with Arik Air to notify them of this data leak. To say this process was challenging would be an understatement. I can confirm roughly 1 month after notice was provided that action has finally been taken to secure the S3 bucket. “
Here is the timeline of the communication between Justin and Arik Air
What does the data leak of Arik Air Contain
So, what does the S3 bucket leak contain?
The answer — 994 CSV files. Some of these CSV files contain in excess of 80,000+ rows of data while other files contain 46,000+ rows of data, and in some cases files only contain 3 rows of data.
Here’s a sampling of the data points that were leaked:
- Customer email address
- Customer name
- Customer’s IP at time of purchase
- A hash of the customer’s credit card
- What appears to be last 4 digits of the credit card used.
- What appears to be maybe be the first 6 digits of the credit card used.
- A unique device fingerprint (presumably the user’s mobile or desktop device?)
- Type of currency used
- Payment card type
- Business name related to the purchase (more on this below)
- Amount of purchase
- Date of purchase
- Country of origin of the purchaser
- Charge message (chargemessage) associated with the purchase (more on this below)
- The “sector” field was populated in some cases. This appears to include the specific departing airport and arriving airport (more on this below)
- Travel patterns data of ArikAir.com
3 things Organizations Can learn from Arik Air Hack & Data Leak
Based on recommendations, thoughts and discussions: Information security professionals had this to say
1. Embrace Responsible Disclosure Culture
Organizations in Africa need to know this; so long as your organization or business is online. You will remain a target to hackers. Your product, your employees, and everything about you is like a hot menu waiting to be tried out in the restaurant. First, organizations need to set up a distinct unit or department that deals with incident response and responsible disclosure. This can be done by creating a platform (website or email) where vulnerabilities can be reported to without the researcher being reported or arrested for breach.
2. Don’t rely on outdated Technologies
Most security breaches occur due to ignored technology (oversight) that’s in use or outdated technologies. For example, Deloitte was reportedly hacked. How did this happen? According to guardian, At the time of the hack, Deloitte did not have multi-factor authentication As a result of this, hackers could get into the system through the administrator’s account. Outside hacking can be malicious and the cost of such attacks is costlier when compared to data breaches through system glitches and human errors.
3. Reduce Delay in Response and Reporting
So, notice a data breach, or someone suggested there might be one. There should be no hesitation and such extraction of personal data by hackers should be addressed immediately without delay before it spreads across the entire customer base or get’s noticed by hackers willing to trade it on the dark web. As cyber-attacks become common, it is important for CEOs or CTOs of organizations to address the issue of cybersecurity diligently and create a protected environment.
In a comment on Linkedin, the Associate Vice President of IT Arik Air had this to say:
What more can be done to keep organizations on their toes.
- Heavy sanctions from the regulator should be a starting point. This would set up some real sense of responsibility infused into these organizations concerned. If there is a hack, and nothing is done to inform users or mitigate the damage. There should be a sanction for that.
- There should be a Data Protection (DP) regulation a dedicated DP authority that specifically deals with these organizations.
What can users do to protect themselves and their data
- If you feel an organization isn’t handling your data securely, call them out.
- Enable 2 Factor Authentication across emails, payment platforms.
- Get a secondary email (one different from your main email) for signing up or registering in forums, ticketing sites, booking sites, etc)
Do you have more recommendations or analysis on the Arik Air Data leak. Leave us a comment below.
We would like to hear from you.
Still in the spooky halloween season feeling? Do check out our halloween inspired cybersecurity awareness post here
Source: Rainbowtable.es and The Guardian Nigeria