A viral thread on how a Bengaluru techie took on an airline major after having tried the traditional methods to get his bag back, which was accidentally swapped at the airport. An IndiGo passenger shared his side of the story on how his bag was swapped with another co-passenger, a common error when there are similar suitcases on the conveyer belt at the airport.
Nandan Kumar, a Bengaluru-based software engineer, shared an interesting thread on how his luggage was swapped at the airport. After having failed to retrieve his luggage from a co-passenger, whose suitcase had landed in Kumar's possession, he decided to take matters in his own hands. Not just that, in doing so, he claimed to have discovered a technical vulnerability in IndiGo's system. The airline has since investigated the matter and released a statement in which IndiGo has assured that no breach took place.
The claim
In a detailed thread, Kumar shared his ordeal of how his luggage got swapped at Bengaluru airport. He had been travelling from Patna to Bengaluru on an IndiGo flight, but he accidentally came home with someone else's suitcase, which looked a lot like his own. After realising his bag had been swapped, he claims to have called IndiGo customer care and after "a lot of wait" and "navigating through IndiGo IVR", he got hold of one exec. But no resolution was reached as customer care couldn't connect Kumar with the co-passenger with whom his suitcase had been swapped.
After having waited a day, he tried to resolve the matter himself. He already had the co-passengers PNR from the bag tag, so he tried to use that to retrieve some contact information about the co-passenger from the IndiGo website, yet again to no avail.
Hey @IndiGo6E ,
— Nandan kumar (@_sirius93_) March 28, 2022
Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system? #dev #bug #bugbounty ?? 1/n
That's when he claims he accessed the website's developer tools by pressing F12 and went through the network responses. To his surprise, he found the contact number and email address of the co-passenger. He managed to get through to the co-passenger, and even swapped the bags. In conclusion, he made three suggestions to IndiGo, based on his experience.
- Fix your IVR and make it more user friendly
- Make your customer service more proactive than reactive
- Your website leaks sensitive data get it fixed
Kumar's thread went viral, with hundreds and thousands of RTs and Likes and comments. Many applauded his efforts and criticised IndiGo's lax security on the website with regards to storing customer data.
Due to the viral nature of the tweet thread, many major publications published articles that are suggestive of Kumar hacking the IndiGo website.
Fact check
International Business Times reviewed the claims made in the thread carefully and assessed the situation. We also reviewed the official response from IndiGo concerning this incident, which went viral on social media.
Responding to the claims made by Kumar in the viral thread, IndiGo assured that there had been no breach in its systems. In fact, the airlines explained how Kumar was able to retrieve the contact information with such ease.
Read the official statement below:
Sir, thank you for your time over the call today. We at IndiGo, remain fully committed to consumer data privacy and industry benchmark cybersecurity standards. We'd like to inform you that we've a dedicated option available for mishandled baggage and other options for assistance on IVR. Each option is handled by a specialized team at the contact center. We tracked bock and found that you selected 'Flight info' and 'Flight cancellation' instead of mishandled baggage as your query option on IVR which took time connecting to our customer core team. Due to data privacy policy, we're not allowed to share any of the passenger's information therefore, our customer core team tried to arrange a conference call in order to facilitate the exchange of baggage. We'd also like to state that our IT processes are completely robust and, at no point was the IndiGo website compromised. Any passenger can retrieve their booking details using PNR, last name, contact number, or email address from the website. This is the norm practiced across all airline systems globally. However, your feedback is duly noted and will definitely be reviewed. We hope this clarifies and look forward to your kind understanding." —Team IndiGo
It is common knowledge, particularly in the aviation industry, about the process of retrieving boarding passes or itineraries, which goes on to confirm that this is not a breach in IndiGo's website. Besides Twitter users, many publications also carried articles claiming that the techie "hacked" into IndiGo's website, which couldn't be further from the truth.
IBTimes has been able to independently verify that IndiGo's website or its systems weren't hacked, nor there's a vulnerability to be exploited. Hence, we've arrived at the conclusion that the claims of IndiGo being hacked by a Bengaluru techie are misleading.