A data leak that actually occurred a while back but was not covered by the media is now freely shared on at least two dark web forums. The compromised entity is ‘Airlink International U.A.E.,’ which is a travel and logistics firm that employs over two hundred people and has yearly revenues in the range of $250 million. The security incident happened due to a server misconfiguration that leaked the data, so there were no hacker breaches.
Unfortunately for both the company and the exposed individuals, the data that is being now shared for free with multiple actors concern highly sensitive details in 14 folders containing 53,555 files. It includes passport scans, flight bookings, hotel bookings, email communications of the firm and its customers, and insurance policy PDFs for international travel.
Obviously, clients' personally identifiable information is available in these files, including names, email addresses, phone numbers, and various travel details like expenses and duration of stays.
The passport scans alone are enough to cause a big headache to their holders, as someone could now forge fake ones, impersonate the owners online or on the physical world, phish them, scam them, and more. One way to deal with this would be to get a new passport, which of course, costs time and money to do. If you have done business with Airlink International U.A.E., we suggest that you get a new passport with a new number on it and declare the old one stolen.
Related: Almost All Airlines Are Vulnerable to Email Fraud Attacks
Moreover, you should remain vigilant with incoming communications and keep in mind that crooks now have both your phone number and your email address. Phishing attempts are the most likely, and since many actors have this data on their hands, you may see these attempts coming from multiple places. The original leak occurred back on May 30, 2020, so the period of potential scamming starts from then and will go on indefinitely.
As for Airlink International UAE, it remains unclear if the company sent notifications to the affected individuals, but considering the absence of laws that would force them to report data leaks to the relevant authorities in the United Arab Emirates, they almost definitely haven’t informed anyone.