A Bengaluru-based software developer has claimed he was forced to hack an Indian airline’s website to find his missing luggage, according to reports.
Nandan Kumar, 28, had swapped his bag with a co-passenger. When he called IndiGo for help, the airline refused to help him find the other person. This forced Kumar to retrieve passenger information from the airline’s website.
Later, in a series of tweets, Kumar described the incident.
“Hey @IndiGo6E, wanna hear a story? And in the end I will tell you a hole (technical vulnerability) in your system?” he tweeted on Monday (28).
According to him, by the time he arrived at the airport baggage carousel, a co-passenger had taken his bag and left. He only realized the mistake after returning home.
Although he was able to identify the other person’s Passenger Name Record Number or PNR from a baggage tag, the airline did not share the information, citing privacy and data protection rules.
The customer service team said they would call him back when they were able to reach the other person, but the call never came, Kumar said.
Later, he tried various methods – using the check-in process, modifying the booking and updating the contact to get passenger data, but nothing worked. Eventually, he hacked into the system and discovered the passenger’s phone number.
He called his travel companion and the two met to swap luggage, according to reports.
Kumar then informed the airline that the system data should have been encrypted, otherwise it allows anyone to access private information.
“Dear, @IndiGo6E, take note. 1. Fix your IVR and make it more user-friendly, 2. Make your customer service more proactive than reactive,
3. Your website is leaking sensitive data, get it fixed,” he tweeted.
In a statement to BBC, IndiGo said it is looking into the matter in detail. “We would like to state that our IT processes are completely robust,” he added.