Based in France, Option Way has the client base around the world and helps individuals find flight deals to and from various destinations. Here, according to a reported security research firm VPNMentor, the website was leaking 100 GB worth of unsecured client data to the public internet.
Option way claims that the website is confined by an SSL certificate. This should encrypt the data transaction made to the website, as they are processed in line with the recommendation set out by the CNIL i.e. France’s data protection authority.
Moreover, the researchers discovered that the statement is not true. “Our team was able to access over 100 GB of data, a massive amount of clients’, and unencrypted Personally Identifiable Information (PII)”.
Examples of personal details we view include Customer names, Gender, Date of Birth, Email addresses, Phone numbers, Home Address, and postcode. Dates of flight departure and return, Flight Prices, and Destination.
The report noted that the leaked client data were mainly from Belgium, France, Switzerland, Australia, and Algeria.
Apart from the client’s data, the database also contained details of the employees of the company and credit cards used for transactions.
Unsecured database expose the sensitive data to the internet, is “a good thing for attackers and identity thieves,” said the researchers.
Data found in the “Option Way” leaks database
By putting together all the data found in the Option Way database leak, individual with viruses, malicious intentions could use the information for illegal activities that include:
- Fraud and Phishing
- Ticket account takeover
- Compromising Option Way Business Model
- Credit card fraud.
- Reputational damage to Option Way and more
VPNMentor found this leak when its researchers scan the ports looking for recognizable IP blocks and use these blocks to find the holes in the web system of the company. Once these holes are found, the team looks for vulnerabilities that would lead them to a data breach.
The researchers at VPNMentor exposed this unsecured database on August 20th and updated the Option Way a few days later.