Mondee security lapse exposed flight itineraries and unencrypted credit card numbers

Travel giant Mondee has secured an exposed database that was spilling sensitive customer information, including detailed flight and hotel itineraries and unencrypted credit card numbers.

Anurag Sen, a good-faith security researcher known for discovering inadvertently exposed data on the internet, found the database and shared details with TechCrunch to alert the company.

According to Sen, the database was exposed to the internet without a password, allowing anyone to access the sensitive data inside using a web browser, just with its IP address. TechCrunch found that the database was also accessible from an easily guessable subdomain of a Mondee subsidiary’s website.

Much of the data appears to relate to Mondee subsidiary TripPro, a travel agent platform used by tens of thousands of booking agents and travel startups allowing self-service flight ticketing and hotel booking.

The database, hosted on Oracle’s cloud and more than 1.7 terabytes in size at the time it was exposed, contained customer’s personal information, including names, gender, dates of birth, home addresses, flight information and passport numbers. Some of the data seen by TechCrunch includes full customer passenger name records, or PNR, including ticket and booking details. TechCrunch has also seen customers’ full credit card numbers and expiry dates in the database, but none of the data was encrypted.

TechCrunch verified that the exposed data matches real people’s information. One person we spoke to confirmed their flight information was accurate and said they booked their flights through a popular booking site.

The database also contained non-customer testing data generated by Mondee developers.

The database was first spotted as exposed in late-July, according to a listing on Shodan, a search engine that crawls the web for exposed servers and databases. The circumstances of how the database became publicly accessible are not known, though database exposures are often misconfigurations caused by human error.

When reached by email, Mondee spokesperson Karen Gillo did not acknowledge the incident or provide comment. The database became inaccessible a short time after TechCrunch contacted Mondee.

It is not yet known if anyone other than Sen found the exposed database during the window it was accessible from the internet. TechCrunch asked Mondee if the company has the technical ability, such as logs, to determine what, if any, data was accessed or exfiltrated from the database.

Mondee did not say if it plans to notify affected customers of this data exposure.

Leave a Reply

Your email address will not be published. Required fields are marked *