Aviation regulatory body Directorate General of Civil Aviation (DGCA) made security changes to its website on Wednesday after social media users pointed out that private and confidential directory content was available for public access.
The security concern associated with the DGCA website was first pointed out by retired pilot Shakti Lumba on Twitter. The primary issue was that private information that was supposed to remain between concerned aviation professionals, their employer airlines and the DGCA was available to the general public without any authorisation process.
Lumba, who was earlier vice president of operation at IndiGo, took to Twitter earlier in the day, saying, “...one gets access to random information which should ideally be secure, I am not aware if this is built in or is a back door into the site. [I] suggest the website be shut until the flaw is isolated.”
The security settings of the website was changed on Wednesday afternoon, several hours after concerned netizens raised the issue with DGCA, Ministry of Civil Aviation and Union Minister Jyotiraditya Scindia on Twitter.
Such a security lapse can be described as ‘Information Disclosure via Directory Listing’, says cybersecurity threat analyst Rakesh Krishnan. He comments, “This is potentially a dangerous threat where anyone who comes across this link can access the entire records.”
The information that was earlier accessible without any authentication included pilots’ medical records, personally identifiable information, private reports that airlines have shared with DGCA, etc. “Any information disclosure like this is a treasure trove for criminals to conduct various cyber crimes like phishing, identity theft, data breach, selling on dark web, scams etc,” adds Krishnan.
DGCA’s website is hosted on Amazon Web Services (AWS) servers and is managed by Tata Consultancy Services (TCS), according to the information given on the DGCA site. The website was recently tested and audited by AKS IT Services Ltd, a CERT-In empanelled security auditor. Indian Computer Emergency Response Team (CERT-In) is a nodal agency under the Union Ministry of Electronics and IT that deals with cybersecurity threats.
It is not clear as to how long this security vulnerability was present. A detailed questionnaire sent to DGCA’s IT team remained unanswered at the time of publishing.
