Whoops: FlightAware Exposes Sensitive Personal Data Of Millions Of Users, Pilots, And Plane Owners
from the another-day,-another-scandal dept
Popular flight tracking app FlightAware says that they accidentally leaked the personal data of its 10,000 aircraft operators and 12 million users. According to an announcement by the company sent to users, “a configuration error” resulted in the company exposing user usernames, passwords, email addresses, names, billing addresses, telephone numbers, birth dates, aircraft ownership records, user data, and more.
The company is requesting that users reset their account passwords:
“FlightAware values your privacy and deeply regrets that this incident occurred. Once we discovered the exposure, we immediately remedied the configuration error. Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password.“
In other words, almost all of the data users entered into the website was accidentally left freely available on the open internet. The company didn’t specify whether this data was externally accessed; likely because they don’t know.
As we’ve noted repeatedly, such mistakes are increasingly commonplace in a country that’s simply too corrupt to pass a meaningful privacy law for the internet era. Trading in user data is simply too lucrative, Congress has repeatedly declared, to impose any sort of guard rails on companies (and executives specifically) that over-collect your data, hyper-monetize it, yet fail to adequately secure it.
They do that because the tiny regulatory fines and penalties (if there are any) are viewed as a near-irrelevant cost of business compared to the costs they’d incur from respecting consumer privacy and implementing tough security standards. Nothing changes until those penalties are dramatically reformed and expanded; especially for individual executives.
Flight data, of course, creates a particularly sensitive national security risk. And while Congress did recently pass a privacy law related to flight data privacy, it was simply to protect rich Americans worried about being scolded for their environmentally harmful excessive private jet use.
Filed Under: consumer, flight data, privacy, security
Companies: flightaware
Comments on “Whoops: FlightAware Exposes Sensitive Personal Data Of Millions Of Users, Pilots, And Plane Owners”
They apologize, so the case is closed, as usual.
The worse part of this is that all the leaked data couldn’t be sold to data brokers, so that’s a lot of money that won’t go into shareholders pockets. What a sad story.
ssn
What their press release doesn’t say but their filing with the CA AG says is that they also exposed their users’ SSN. I mean… It’s a flight tracking app. Why does it need its users’ SSN? Why were users providing it?
https://oag.ca.gov/system/files/Notice%20to%20Data%20Subjects-%20CA.pdf
Re:
Id imgine the components that require identity verification, like authorizing individuals to bypass the FAA-backed flight data privacy scheme.
Oops??? OOPS????
I think this is a bit more than a whoopsie daisie
Re:
Security is not a stone wall. Security is a balloon.
If you have a small hole in security, you are not “mostly okay still”. You are (potentially) entirely compromised. If you don’t act as if everything that could have been leaked was in fact leaked, you will find why pessimists are generally happier people.
"values your privacy"
Uh-huh. Amateurs.
So, by “configuration error” they really mean they left everything in plain text and stored it for later use.
Were they hacked or is this the “story” behind them selling the data?
Passwords
This is worse than this article makes out. No website that is doing security right can expose user passwords. They should be hashed and only that hash should be stored.
Re: You get what you pay for.
While I agree, you know what?
Newly minted CS grads are cheaper to hire than 15 year veteran programmers. 15 year veteran programmers are cheaper to hire than 20 year programmers who have trained and practiced in security (and have made many of those mistakes already).
If the job goes to the lowest bidder…
Well sure, but they’re sorry
We can haz Eon flight data?