Passenger Hacks Indigo Website To Find Lost Luggage! Indigo Says No Data Was Compromised.. What’s The Truth?
By using this vulnerability, he was able to find the phone number of a co-passenger with whom his bag was mistakenly swapped.
How Did This Happen?
This all started when his bag got exchanged with a co-passenger in an “honest mistake” while traveling from Patna to Bengaluru on IndiGo 6E-185 on Sunday, March 27.
Interestingly, their bags were “exactly the same with some minor differences.”
Kumar tried calling IndiGo customer care after realizing the mistake.
After multiple tries, he was finally able to connect and navigate through the airline’s Interactive Voice Response (IVR) which is an automated phone system technology.
After knowing the situation, the customer care team tried to connect him with the co-passenger but “all in vain”.
When he asked about the copassangers information, the customer team was not ready to provide him with the contact details considering the personal privacy and data protection.
But they assured him that “ they will call him back when they are able to reach the other person”.
Moreover, he didn’t get that call.
He wrote on Twitter, “So I slept the night without any resolution to the issue. Thinking I may get a call in morning.(sic)”
When he did not get any call in the morning then he started digging into the airline’s website by using the co-passenger’s PNR, or Passenger Name Record, written on the bag tag.
After trying different methods he couldn’t find the phone number.
He said in a tweet, “So now, after all the failed attempts, my [developer] instinct kicked in and I pressed the F12 button on my computer keyboard and opened the developer console on the @IndiGo6E website and started the whole checkin flow with network log record on,”.
This way, he was finally able to find the phone number and email ID of his co-passenger.
IndiGo Says Otherwise
Kumar “made note of the details and decided to call the person and try to get the bags swapped,”.
Next, he advised IndiGo to improve its customer care service and IVR, Kumar wrote on Twitter.
In its defense, IndiGo said that its IT processes are “completely robust and, at no point was the IndiGo website compromised,” in a statement.
Further adding that “Any passenger can retrieve their booking details using PNR, last name, contact number, or email address from the website. This is the norm practiced across all airline systems globally,” .