FlightAware has attributed the exposure of personal customer information, including Social Security numbers, to a configuration error
The company, which asserts to be one of the largest aggregators of flight data, stated in a notice posted on its website that it discovered the unspecified error on July 25.
The error exposed names, email addresses, and other information contingent upon the information users supplied to the company.
According to FlightAware, the data that has been disclosed includes “billing address, shipping address, IP address, social media accounts, telephone numbers, year of birth, last four digits of your credit card number, information about aircraft owned, industry, title, pilot status (yes/no), and your account activity (such as flights viewed and comments posted).”
FlightAware reported in a separate notice to California’s attorney general’s office that its investigation revealed the exposure of Social Security numbers and passwords.
Consequently, the organisation has announced that it is mandating that all affected users reset their account credentials. The notification from FlightAware does not specify whether or not customers’ credentials are encrypted or to what extent.
According to the notice submitted to the state, the infraction occurred in January 2021, more than three years ago.
The company’s description of a configuration error suggests that the error was caused by the company rather than a malicious cyberattack.
FlightAware acknowledges that customer data was exposed; however, it is unclear whether anyone accessed or exfiltrated the data or whether the company possesses the technical resources, such as logs, to ascertain whether anyone downloaded the customer data.
Kathleen Bangs, the spokesperson for FlightAware, declined to respond to enquiries regarding the number of consumers affected.
According to FlightAware’s website, monthly consumers exceed 10 million.