Mondee security lapse exposed flight itineraries and unencrypted credit card numbers
that travel giant Mondee had an exposed database that was leaking sensitive customer information, including flight and hotel itineraries and unencrypted credit card numbers. Key points include:
- Security researcher Anurag Sen discovered the exposed database and alerted TechCrunch.
- The database was accessible without a password and could be accessed using just the IP address or an easily-guessable subdomain.
- The data primarily relates to Mondee subsidiary TripPro, a travel agent platform used by many booking agents and travel startups.
- The database contained personal information such as names, gender, dates of birth, home addresses, flight information, and passport numbers.
- Full customer credit card numbers and expiry dates were also exposed, and none of the data was encrypted.
- TechCrunch verified that the exposed data matched real people's information.
- The database also contained non-customer testing data generated by Mondee developers.
- The database was first discovered as exposed in late-July.
- Mondee did not acknowledge the incident or provide comment when contacted by TechCrunch.
- It is unknown if anyone other than Sen accessed the database during the time it was exposed.
- It is unclear if Mondee has the ability to determine if any data was accessed or exfiltrated.
- Mondee did not mention if they plan to notify affected customers of the data exposure.