In spite of the denial by the Nigerian government-controlled Arik Air that its customers’ data were never leaked, Justin Paine, who discovered the leak on September 6, insisted there was a “massive” leak, and that it was only fixed after September 24.
A payment gateway provider that Paine said showed in the leaked data, Flutterwave, also denied that the leak happened on its watch.
“If Arik Air is vehement that they’ve never directly used Amazons S3 to store their customer’s data, then it seems very likely one of their payment processors uses S3 to store Arik Air’s data,” Paine, who heads the Trust and Safety department of Cloudflare, told The Guardian.
Paine said the leaked storage contained 994 comma-separated values (CSV) files, with the customers’ information collected between December 31, 2017, and March 16, 2018. In computing, a CSV file is a delimited text file that stores tabular data in plain text, and uses a comma to separate values.
The leak contained, among other things, sensitive customer details such as device fingerprints, names, email addresses, first six digits and last four digits of credit cards, and IP addresses.
The leaked documents covered 54,011 unique names, 41,304 unique device fingerprints, 65,412 unique emails, and 570,210 unique card transactions, of which 437,457 of those were made using Mastercard and 97,713 using Visa.
A spokesman for Arik Ola Adebanji said on Wednesday that the airline did not use Amazon S3 in hosting its website and it was reviewing “all our systems including interface with third-party processors to eliminate vulnerabilities.”
Modupe Duronsinmi-Etti, Flutterwave’s developers’ community manager said the firm does not store the card information of users, noting that it is Payment Card Industry Data Security Standard (PCI DSS) compliant.
PCI DSSI is the information standard required for all entities that store, process or transmit cardholder data.
Although she admitted that Flutterwave uses Amazon Web Services (AWS), she said Amazon does not store Flutterwave’s customer information either.
“We don’t store that information,” she said. “AWS doesn’t store that information.”
She categorically denied that there could have been a bug in the AWS system that could have caused the data to leak without anyone being aware of it.
The denial, Paine said, was baffling especially that the leak was fixed only after the airline acknowledged the receipt of his emails notifying it about the breach.
He said an official of the airline who emailed him told him that “it’s been reviewed.”
Paine also told The Guardian that he contacted Flutterwave, which later contacted Arik. But Flutterwave’s spokeswoman said she cannot confirm if her company and Arik have had any discussion.
She, however, said Flutterwave was aware of the leak and that the company immediately reviewed the security of its systems to ensure its safety.
Paine tacitly absolved Arik Air of being directly responsible for the leak. He said the S3 bucket which contained the data could have been in someone’s else control. That person or organisation, he said, could only be a company responsible for Arik’s payment gateway.
“The only data in that bucket appeared to be owned by Arik Air which is what led me to believe this [is] a bucket potentially controlled by Arik Air or one of their payment processors or vendors,” Paine said.
He, however, insisted that the airline must have known who controlled the bucket judging by how quickly the leak was fixed immediately an acknowledgement email was sent to him.
“It is curious that the S3 bucket became unavailable after I notified Arik Air though…so it certainly seems they knew how to track down the owner and had the owner fix the data leak,” Paine said.