I did want to clarify in clear terms a handful of inaccurate claims I have seen made regarding this report.
- This was not a hack. Full stop. I've seen zero evidence to indicate this data was leaked as a result of any kind of compromise or "hack". Claims of that nature are simply inaccurate.
- I have seen claims that this was related to Flutterwave, but I have seen no evidence that Flutterwave was involved or compromised in any way.
- The data is no longer being leaked or at risk. The S3 bucket has been secured, and I have securely deleted the data that was used in the analysis of this report.
In the normal course of scanning for open/exposed/vulnerable Amazon S3 buckets I discovered a bucket containing a large number of CSV files. This is not all that odd. What made this bucket particularly interesting was that following a brief investigation it became immediately apparent the bucket appeared to be owned by an airline or a payment processor for an airline. After a thorough review of the files, I concluded these sensitive files were very likely owned by Arik Air. I had not heard of Arik Air, but they describe themselves as "West-Africa's leading airline" source. Arik Air has had a number of financial troubles which most recently lead to the Nigerian government needing to takeover of the airline to prevent it going backrupt. source Long story short -- this seemed like a potentially important find.
After concluding the CSV files were very likely owned by Arik Air (or their payment processor) I immediately attempted to make contact with Arik Air to notify them of this data leak. To say this process was challenging would be an understatement. I can confirm roughly 1 month after notice was provided that action has finally been taken to secure the S3 bucket.
Notification and remediation:
I attempted to notify Arik Air via social media, all of which failed (at least initially). I attempted to email [email protected] (which bounced) and the email address they publish on their website [email protected] -- which received no reply. After multiple messages on their coporate Facebook page and Facebook messages I eventually received a reply and they provided me with the email address for a security point of contact. Several days later the security point of contact confirmed they would review my report, and that was the last I heard from Arik Air. In all -- roughly 1 month elapsed from the time I notified them to the time they took action to acknowledge my report and to secure their customer's data.
|September 6, 2018||open bucket discovered.|
|September 6, 2018||attempt made to notify. No Twitter account, message left on Facebook page, message sent via Facebook. No replies to any of these attempts.|
|Septmber 7, 2018||message sent to Arik Air employees on LinkedIn.|
|September 10, 2018||[email protected] and [email protected] notified via email. The [email protected] email bounces.|
|September 17, 2018||Message on Facebook finally replied to.|
|September 18, 2018||email provided for a security point of contact. No Reply.|
|September 23, 2018||another email sent to the security point of contact.|
|September 24, 2018||security point of contact replies indicating "it's been reviewed".|
|October 10, 2018||No further reply received, but bucket has been properly secured at some point following Sept 24 email.|
What's in the bucket:
So what's in the bucket? That's the question and answer you came to find out.
The answer -- 994 CSV files. Some of these CSV files contain in excess of 80,000+ rows of data while other files contain 46,000+ rows of data, and in some cases files only contain 3 rows of data.
Here's a sampling of the data points that were leaked:
- Customer email address
- Customer name
- Customer's IP at time of purchase
- A hash of the customer's credit card
- What appears to be last 4 digits of the credit card used.
- What appears to be maybe be the first 6 digits of the credit card used.
- A unique device fingerprint (presumably the user's mobile or desktop device?)
- Type of currency used
- Payment card type
- Business name related to the purchase (more on this below)
- Amount of purchase
- Date of purchase
- Country of origin of the purchaser
- Charge message (chargemessage) associated with the purchase (more on this below)
- The "sector" field was populated in some cases. This appears to include the specific departing airport and arriving airport (more on this below)
High level stats
|Number of files inthe bucket||994 CSV files|
|Date range of leaked data||"2017-12-31T02:25:59.000Z" - "2018-03-16T14:08:50.000Z"(Roughly 3.5 months of data.)|
|unique customer names||54,011|
Regarding the "business name" field:
It's not entirely clear who the owner of this data is as Arik Air didn't reply with any further clarification or details. That being said it certainly seems likely to be a bucket controlled by Arik Air, or one of their immediate partners/processors. The fact that all of these purchases have an "acctparentbusinessname" value leads me to believe this could be a payment processor specific to businesses and/or travel agents. It seems unlikely a business name would be populated for personal travel conducted by an individual. In many cases the email address associated with a user also appears to be a travel agent or company email address.
Regarding the "charge message" field:
This field appears to be additional information associated with the attempted purchase. What makes this field particularly concerning in the context of the other leaked data is that it contains information regarding the 2 factor authentication (2FA) at the time of purchase. It references a partially obscured phone # or email address (or both) where the 2FA code is being sent.
A malicious person could potentially use this sensitive information to then target one of these customers of Arik Air for identify theft. With the information included in this leak a fraudster would have plenty of useful data points -- the person's name, email, first 6 and last 4 of the credit card, and a hint as to what the person's 2FA values might be so they could then focus on compromising that 2FA account (email or phone number) to take steal the user's identify.
Regarding the "sector" field:
In some cases this "sector" field is populated. Using this value in combination with a customer's email address it is possible to map out all flights this user has taken in the 3.5 months contained by this leaked data.
When pivoting on a single customer's email address we see the following pattern of travel:
One might certainly consider this to be sensitive information in combination with the customer's name, date of flights, travel itineary, and what looks to be the first 6 and last 4 digits of the customer's credit card number.
Overall travel patterns from this dataset are as follows:
Information below is in the format:
Friendly name (fieldname)
Customer Email (custemailprovider)
|Customer Email Provider||Count|
|Type of Currency||Count|
Account business name (acctparentbusinessname)
|Account Business Name||Count|
|Access Bank Ghana Plc||760|
|Union Bank PLC||272|
|Gene Solutions Multiservices Company||68|
|Crenet TechLabs Limited||34|
Account country (acctcountry)
Payment type (paymenttype)
Payment card type (pcardtype)