Arik Air in customers’ data leak mess
A Nigerian airline has been accused of spurning efforts to notify it of a data leak that involves customers’ personal and payment information.
The leak, which contained sensitive customer details such as device fingerprints, names, email addresses, last four digits of credit cards, and IP addresses, was discovered on September 6 by Justin Paine, the head of trust and safety at Cloudflare.
Cloudflare is one of the largest internet security and cloud network platforms in the world.
“After concluding the CSV files were very likely owned by Arik Air (or their payment processor) I immediately attempted to make contact with Arik Air to notify them of this data leak,” Paine said in a blog post he published on Tuesday.
“To say this process was challenging would be an understatement. I can confirm roughly 1 month after notice was provided that action has finally been taken to secure the S3 bucket.”
Although Paine acknowledged that it was not totally clear who the owner of “this data is as Arik Air didn’t reply” with any further details, he doubled down on his belief that it is “a bucket controlled by Arik Air or one of their immediate partners/processors.”
Paine said the leaked storage contained 994 CSV files, with the customers’ information collected between December 31, 2017, and March 16, 2018.
It contained 54,011 unique names, 41, 304 unique device fingerprint, 65,412 unique emails and 570, 210 unique card transactions; 437, 457 of those were made using Mastercard and 97, 713 using Visa.
Majority of the customers affected appeared to be Nigerians or based in Nigeria as most of the account used in transactions covered in the leak were domiciled in Nigeria.
He said the breach was only acknowledged in an email sent to him on September 24, 18 days after he first made contact with Arik Air via its Facebook page.
He also noted the breach was fixed sometime after he received the email.
When contacted on Wednesday, Ola Adebanji, head of corporate communications at Arik Air said he was not aware of the leak and that he will have a response after speaking with the company’s technical team.
He promised to respond to an email and text message sent to him “shortly”.
One of the companies that provide Arik Air’s online payment gateway Interswitch did not respond when contacted by The Guardian.
Set up in 2006, Arik Air was a privately-owned business before it was taken over by the Nigerian government in 2017 after failing to repay its $429 million debts.
A spokesman for the Asset Management Corporation of Nigeria (AMCON), which now manages the company, said AMCON took “over the management of Arik because the whole place is in a mess.”