Flight tracking site FlightAware has attributed a “configuration error” to the exposure of a significant amount of personal information belonging to its customers, including certain Social Security numbers.
The company, self-proclaimed as one of the largest collectors of flight data, disclosed in a notice on its website that it discovered the unspecified error on July 25, which resulted in the exposure of names, email addresses, and additional details based on the information provided by users.
FlightAware noted that the exposed information encompasses “billing address, shipping address, IP address, social media accounts, telephone numbers, year of birth, last four digits of your credit card number, details about owned aircraft, industry, title, pilot status (yes/no), and account activity (such as viewed flights and posted comments).”
In a separate disclosure to the California attorney general’s office, FlightAware confirmed that passwords and Social Security numbers were also exposed.
In response, the company is mandating all affected users to reset their account passwords. However, FlightAware did not specify in the notice if customer passwords were encrypted, or to what degree.
The disclosure filed with the state indicates that the breach could date back to as early as January 2021, more than three years ago.
The mention of a configuration error by the company suggests an inadvertent mistake rather than a deliberate cyberattack.
While FlightAware acknowledges the exposure of customer data, it remains unclear whether anyone gained unauthorized access to or extracted the data, or if the company possesses the technical capabilities, such as logs, to ascertain if any data was downloaded.
FlightAware representative Kathleen Bangs did not respond to inquiries for comment or provide details on the number of affected customers.
FlightAware asserts on its website that it boasts more than 10 million monthly users.