Wednesday, 6 July, 2022
E-paper

IndiGo: Man says he hacked airline website to find lost luggage

IndiGo: Man says he hacked airline website to find lost luggage

A man says he was forced to hack into a domestic Indian airline's website to find his missing luggage.

Nandan Kumar, 28, called IndiGo - a low-cost carrier - for help, after realising that he had swapped his bag with a co-passenger.

But after IndiGo refused to help him trace the other person, Mr Kumar said he was able to retrieve information about him from the airline website.

IndiGo told the BBC that "at no point was the IndiGo website compromised".

Mr Kumar says he's not a professional hacker, but had to "do something" to retrieve his luggage.

In a series of tweets, Mr Kumar, a software engineer, said by the time he got to the airport luggage belt, a co-passenger had taken his bag and left.

He told the BBC he only realised the mistake after getting home, because both bags looked exactly alike.

He was able to identify the other person's Passenger Name Record number or PNR through a luggage tag, but when he called the airline to ask for information about the passenger, they refused to help, citing privacy and data protection rules.

In a statement sent to the BBC, IndiGo said their "customer care team followed protocol by not sharing any other passenger's contact details with another passenger. This is in line with our data privacy policies."

"The agent assured me that they would call me back when they are able to reach this person," Mr Kumar said. "But the call never came."

In a statement sent to the BBC, IndiGo airlines said that "attempts were made by the customer care team to facilitate the exchange of baggage, but it could not be completed as the calls went unanswered."

The next morning, Mr Kumar says he decided to "take matters" into his own hands.

He started digging into IndiGo's website using his co-passenger's PNR, in the hope of finding an address or a phone number.

He tried various methods - using the check-in process, by editing the booking and updating the contact. But none of it worked.

"After all failed attempts, my developer instinct kicked in and I pressed the F12 button on my computer keyboard and opened the developer console on the IndiGo website," Mr Kumar said. "I thought 'let me check the network logs'."

What he found was surprising - his co-passenger's phone number. "To be frank, I only checked for a phone number or an email. Basically anything I could use to get in touch to retrieve my bag."

He says, however, that the system's data should have been encrypted, adding that it allowed anyone to access private information.

"A PNR and a last name is very easy to get. People share their boarding passes. Anyone can see your bags, take a picture and later use it get your information," Mr Kumar says.

But it all ended well for Mr Kumar and his bag.

He called his fellow passenger with the phone number he had retrieved from the system logs, and the two met up to swap their luggage.

The airline also said it was "reviewing this case in detail and would like to state that our IT processes are completely robust".