Unprotected database of flight booking site Option Way exposes sensitive customer information

• The unsecured database has leaked over 100 GB of data of customers from various countries including France, Belgium, Algeria, Switzerland, and Austria.
• The leaky database also exposed Option Way’s credit card details as well as the personal information of its employees.

What is the problem?

Security researchers from vpnMentor, Noam Rotem and Ran Locar discovered an unprotected Elasticsearch database belonging to a flight booking website ‘Option Way’.

What is the impact?

The unsecured database has leaked over 100 GB of data of customers from various countries including France, Belgium, Algeria, Switzerland, and Austria.

What information was exposed?

• The exposed information includes the personal information of customers such as names, dates of birth, gender, email addresses, phone numbers, and home addresses.
• The compromised information also includes customers’ booking details such as dates of flight departure and return, unique PNR numbers attached to their reservations, destinations, and flight prices.
• The leaky database also exposed Option Way’s credit card details as well as the personal information of its employees.

Discovery of the database

Researchers discovered the leaky database on August 20, 2019. After examining the database, the researchers notified Option Way about the vulnerability on August 25, 2019, and the owners of the database responded back 4 days later.

“With this information obtained, the victim can be exploited in various criminal schemes, from credit card fraud all the way to complete identity theft. Hackers can sell PII to the highest bidder on the dark web and combine it with other forms of attack, making the criminals exploiting the data untraceable,” researchers said in a blog.