Pegasus Airlines from turkey has suffered a data breach after an AWS cloud storage bucket was reportedly left unprotected.
The Electronic Flight Bag (EFB) information belonging to an unknown number of customers was reportedly stored in the open bucket, allowing access to sensitive information.
Turkey’s data protection agency has since confirmed that a leak has happened after it received a data breach notification from the company. A vulnerability that allowed access was discovered on March 21 and was resolved on March 24.
The leaked information includes the names, surnames, phone numbers, e-mail addresses, titles, flight information of past journeys, flight locations, and photographs and signature images of some employees.
According to Safety Detectives, which disclosed the breach, almost 23 million files were found on the bucket, totaling around 6.5 TB of data.
A blog post reads: “The bucket’s information was linked to an EFB software developed by PegasusEFB that pilots use for aircraft navigation, take-off/landing, refueling, safety procedures, and various other in-flight processes.
PegasusEFB’s open bucket left data including flight charts, navigation materials, and crew PII accessible to anyone. The bucket also exposed the EFB software’s source code, which contained plain-text passwords and secret keys that someone could use to tamper with extra-sensitive files.
This exposure could impact the safety of every Pegasus passenger and crew member around the world, Affiliated airlines that are using PegasusEFB could also be affected.