Flight tracking service Flightaware warns users of possible data theft
Flightaware's data protection was undermined by a "configuration error". This allowed access to the personal data of registered users.
(Image: FOTOGRIN/Shutterstock.com)
There was a data leak at Flightaware, but probably without a cyberattack. The flight tracking service blames a configuration error for the fact that a large amount of personal and sometimes sensitive data of registered users could be viewed. This includes social security numbers and the last digits of credit card numbers. Flightaware recommends that users change their passwords.
The aviation software and data services company claims to be one of the largest flight tracking services with over 10 million monthly users. No information about the data leak can yet be seen on Flightaware's homepage, nor on its own blog, company news or Twitter account.
Large amount of personal data exposed
However, there is a letter from Flightaware CEO Matt Davis to his customers on the website describing the incident, which Techcrunch found. In the letter, Davis expresses his regret about this data protection incident. According to the letter, a "configuration error" was discovered on July 25, 2024, which inadvertently exposed personal information from Flightaware user data.
Videos by heise
This included the customer's user ID, password and email address. Depending on the data transmitted, the full name, billing address, a shipping address, IP address, social network accounts, telephone numbers, year of birth, last four digits of the credit card number, details of own aircraft, job title and industry, pilot status and user activities at Flightaware could also have been accessible. This error was rectified immediately, but customers should still change their password as a precaution.
No details on scope and possible access
Flightaware does not provide any information about a possible data leak or the number of customers affected in the letter. However, the company has informed the California Attorney General about the data leak, stating that the data had been exposed since the beginning of January 2021, i.e. for more than three and a half years. In the sample letter to customers presented there, Flightaware also writes that users' social security numbers were accessible.
Flightaware has not yet responded to corresponding requests, so it is unclear whether someone has accessed the customer data due to the configuration error. It is also unclear whether the company can trace any access to the personal data of others using server logs, for example, and whether all or only some of the users registered with Flightaware were affected.
(fds)
