A significant data breach has put thousands of sensitive customer records at risk, following a months-long exposure of information by global air ticketing service provider, OneFly. The incident, which came to light last year, has left individuals vulnerable to identity theft, financial fraud, and sophisticated phishing attacks.
The leaked data encompasses a wide array of personal and financial details, including:
- Identification Documents: Scanned copies of passports, driver’s licences, and other forms of ID, which could be used to impersonate individuals.
- Flight Information: Specific flight numbers, dates, and travel itineraries.
- Full Credit Card Details: Including card numbers, expiry dates, and CVV codes.
- Passenger Names and Personal Details: Comprehensive information that could be used for targeted scams.
The breach originated from nine internal Java Spring applications that were inadvertently broadcasting private data in real time through an unsecured Elasticsearch instance. This instance, lacking password protection, was accessible to anyone possessing the correct IP address. The exposed data also included JSON Web Tokens (JWTs), which are digital credentials that can grant access to user accounts without the need for a password. Cybernews reported that these exposed internal user authentication tokens could be exploited for user impersonation, allowing attackers to access further information from internal company systems by leveraging regularly logged, valid tokens.
The ramifications of such a breach are severe. Cybercriminals armed with this leaked data could convincingly impersonate travel agencies, making phishing attempts and fraudulent bookings far more believable. The combination of identification documents and payment details presents a direct pathway to financial loss through theft and the execution of elaborate travel scams. Furthermore, the increased exposure of personal information heightens the overall risk of phishing and other targeted cyberattacks.
This incident follows a similar, albeit less severe, data exposure involving Vietnam Airlines last year. While that breach involved a third-party customer service platform and potentially exposed certain customer data, the airline maintained that critical information such as payment details, passwords, travel itineraries, loyalty program balances, and passport details remained secure. Vietnam Airlines took immediate action, collaborating with cybersecurity experts, relevant authorities, and their third-party partner to address the situation.
The OneFly data leak underscores the persistent vulnerabilities within the travel industry’s digital infrastructure. As a business-to-business service provider, OneFly’s compromised data not only affects its direct clients but also the end customers of numerous travel agencies and airlines. The earliest entries in the leaked data date back to October 1, 2025, indicating a prolonged period of exposure before detection. The full extent of the damage and the number of individuals impacted are still being assessed, but the potential for widespread harm is significant. This event serves as a stark reminder for companies handling sensitive customer data to rigorously audit their security protocols and ensure robust protection against unauthorised access.
