An IndiGo passenger has claimed to find a “vulnerability” in the airline’s website using which he was able to find the phone number of a co-passenger with whom his bag was mistakenly swapped. In a series of tweets, a user, who goes by the name Nandan Kumar, explained how he was able to find that IndiGo’s website “leaks sensitive data” which the airlines need to “get it fixed”.
The user said that his bag got exchanged with a co-passenger in an “honest mistake” while travelling from Patna to Bengaluru on IndiGo 6E-185 on Sunday, March 27 as the bags were “exactly the same with some minor differences.”
After realising the mistake, Kumar tried calling IndiGo customer care and was finally able to connect after multiple calls and navigating through the airline’s Interactive Voice Response (IVR), the automated phone system technology. The customer care team tried to connect him with the co-passenger but “all in vain”. He said the customer team was also not ready to provide him with the contact details of the person citing privacy and data protection.
“After the call did not work, the agent assured me that they will call me back when they are able to reach the other person. (I am still waiting for that call ),” he wrote on Twitter. “So I slept the night without any resolution to the issue. Thinking I may get a call in morning.(sic)”
When the IndiGo passenger didn’t get any call in the morning, he started digging into the airline’s website by using the co-passenger’s PNR, or Passenger Name Record, written on the bag tag.
Kumar said he tried different methods like Check-in, Edit booking, Update contact but couldn’t find the phone number.
“So now, after all the failed attempts, my [developer] instinct kicked in and I pressed the F12 button on my computer keyboard and opened the developer console on the @IndiGo6E website and started the whole checkin flow with network log record on,” he tweeted.
He said he was finally able to find the phone number and email ID of his co-passenger.
“I made note of the details and decided to call the person and try to get the bags swapped,” Kumar wrote on Twitter as he advised IndiGo to improve its customer care service and IVR.
IndiGo said in a statement that its IT processes are “completely robust and, at no point was the IndiGo website compromised.”
“Any passenger can retrieve their booking details using PNR, last name, contact number, or email address from the website. This is the norm practiced across all airline systems globally,” the airline stated.