Software developer claims he hacked IndiGo website to find lost luggage

A Bengaluru-based software developer has claimed that he was forced to hack into the website of an Indian airline to find his missing luggage, reports said.

Nandan Kumar, 28, had swapped his bag with a co-passenger. When he called IndiGo for help, the airline refused to aid him trace the other person. This forced Kumar to retrieve information about the passenger from the airline website.

Later, in a series of tweets, Kumar described the incident.

"Hey @IndiGo6E, Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system?," he tweeted on Monday (28).

According to him, by the time he got to the airport luggage belt, a co-passenger had taken his bag and left. He realised the mistake only after getting home.

Though he was able to identify the other person's Passenger Name Record number or PNR through a luggage tag, the airline didn't share the information, citing privacy and data protection rules.

The customer care team said they will call him back when they are able to reach the other person, but the call never came, Kumar said.

Later he tried various methods - using the check-in process, by editing the booking and updating the contact to get data about the passenger but nothing worked. Finally, he hacked into the system and found out a phone number of the passenger.

He called his fellow passenger and the two met up to swap their luggage, reports said.

Kumar later advised the airline that the system's data should have been encrypted, otherwise it allows anyone to access private information.

"Dear,@IndiGo6E, take note. 1. Fix your IVR and make it more user friendly, 2. Make your customer service more proactive than reactive,

3. Your website leaks sensitive data get it fixed," he tweeted.

In a statement to the BBC, IndiGo said that it was reviewing this case in detail. "We would like to state that our IT processes are completely robust," it added.