Passenger ‘hacks’ airline’s website to find lost luggage

Support truly
independent journalism

Support Now

Find out moreClose

Our mission is to deliver unbiased, fact-based reporting that holds power to account and exposes the truth.

Whether $5 or $50, every contribution counts.

Support us to deliver journalism without an agenda.

Louise Thomas

Editor

A passenger says he took the unorthodox step of hacking an airline’s website to locate his luggage after he ended up with the wrong bag by mistake.

Nandan Kumar claims to have taken drastic action following IndiGo flight 6E-185 from Patna to Bengaluru on 27 March, when he ended up with another traveller’s bag after the flight but didn’t notice until he arrived home as the two bags were “exactly the same with some minor differences”.

Sharing his experience on social media, the software engineer said it took multiple calls to get through to an IndiGo customer service agent – and even then claims they were unable to connect him with the other passenger.

“So long story short I couldn’t get any resolution on the issue,” he tweeted. “And neither your customer care team was not ready to provide me the contact details of the person, citing privacy and data protection.”

Kumar claims he was promised a callback, which also never came.

It was at this point that his “dev instinct kicked in”; “I pressed the F12 button on my computer keyboard and opened the developer console on the @IndiGo6E website and started the whole check-in flow with network log record on,” he tweeted.

“And there in one of the network responses was the phone number and email of my co-passenger. Ah this was my low-key hacker moment and the ray of hope. I made note of the details and decided to call the person and try to get the bags swapped.”

According to Mr Kumar, he was able to reach his fellow passenger using the phone number and the pair decided to meet midway between their houses to exchange bags.

His parting gift? Three bits of advice for the airline: “1. Fix your IVR and make it more user friendly; 2. Make your customer service more proactive than reactive; 3. Your website leaks sensitive data, get it fixed.”

Mr Kumar’s story captured social media’s attention, garnering more than 6,500 likes and over 2,000 retweets.

IndiGo strongly refuted Mr Kumar’s accusation that the airline’s website “leaks sensitive data”.

In a statement posted to Twitter, the carrier said: “We’d like to state that our IT processes are completely robust and at no point was the IndiGo website compromised.

“Any passenger can retrieve their booking details using PNR, last name, contact number or email address from the website.

“This is the norm practiced across all airline systems globally. However, your feedback is duly noted and will definitely be reviewed.”

The airline added that it is “fully committed to consumer data privacy and industry benchmark cybersecurity standards”.

The Independent has asked IndiGo for comment on the incident.