Arik Air in customers’ data leak mess

Nigerian airline, Arik Air is currently involved in a customer data leak mess and it has gone viral. It appears the airline is being accused of spurning efforts to notify it of a data leak that involves customers’ personal and payment information.

It was gathered that on September 6,2018 Justin Paine, the head of trust and safety at Cloudflare, one of the largest internet security and cloud network platforms in the world discovered the leak which contained sensitive customer details such as device fingerprints, names, email addresses, last four digits of credit cards, and IP addresses.

In a blog post published yesterday, Paine wrote;

“After concluding the CSV files were very likely owned by Arik Air (or their payment processor) I immediately attempted to make contact with Arik Air to notify them of this data leak,”

“To say this process was challenging would be an understatement. I can confirm roughly 1 month after notice was provided that action has finally been taken to secure the S3 bucket.”

Although Paine acknowledged that it was not totally clear who the owner of “this data is as Arik Air didn’t reply” with any further details, he doubled down on his belief that it is “a bucket controlled by Arik Air or one of their immediate partners/processors.”

Paine added that the leaked storage contained 994 CSV files, with the customers’ information collected between December 31, 2017, and March 16, 2018 containing a total of 54,011 unique names, 41, 304 unique device fingerprint, 65,412 unique emails and 570, 210 unique card transactions; 437, 457 of those were made using Mastercard and 97, 713 using Visa.

According to him, majority of the customers affected appeared to be Nigerians or based in Nigeria as most of the account used in transactions covered in the leak were domiciled in Nigeria.

He stated that the breach was only acknowledged in an email sent to him on September 24, 18 days after he first made contact with Arik Air via its Facebook page and the breach was fixed sometime after he received the email.

Meanwhile Mr Ola Adebanji, head of corporate communications at Arik Air when contacted today said he was not aware of the leak and that he will have a response after speaking with the company’s technical team and will respond to an email and text message sent to him “shortly”.

One of the companies that provide Arik Air’s online payment gateway, Interswitch did not respond when contacted by The Guardian.

It may be recalled that Arik Air which was set up in 2006 was a privately-owned business before it was taken over by the Nigerian government in 2017 after failing to repay its $429 million debts.

A spokesman for the Asset Management Corporation of Nigeria (AMCON), which now manages the company, said AMCON took “over the management of Arik because the whole place is in a mess.”

Click to comment
To Top