FlySafair leaked people’s private information during R12 ticket birthday sale
Popular low-cost South African airline FlySafair leaked the private information of users participating in its highly anticipated R12-a-ticket birthday sale on Wednesday.
MyBroadband was informed that the sale site’s bulletin chat API could easily be accessed and that it was providing details of users participating in the sale, including names and email addresses.
We immediately notified FlySafair representatives, who told us the airline’s staff were actively working to take down the chat’s API.
Since the official start of the sale at 9:00 on Wednesday until the moment we were first informed that the chat bulletin board was taken offline, user data was accessible for 1 hour and 39 minutes.
During that time, the API showed the full names, email addresses and IP addresses of anyone who posted messages to it. The API also indicated whether a poster was a winner.
The API through which the information was leaked was part of a new feature that was added to the portal for this year’s sale. Previously, the site pulled a live feed from Twitter/X.
“We wanted something a bit more controlled and engaging this time around,” said Kirby Gordon, FlySafair spokesperson and chief marketing officer.
FlySafair confirmed that it had removed the chat board at 11:20 and that the API data had been cleared, including the email and IP addresses.
Gordon indicated that the sale was not affected by the removal of the chat feature and that every other part of the process remained “status quo”.
“It’s something we’ll be reviewing with our technology partners as an urgent priority because what happened is entirely unacceptable,” he told MyBroadband.
“A full post-mortem process will follow once the live operational environment has quietened, with a clear focus on understanding exactly where the failures occurred.”
The airline will also identify actions required to prevent a repeat of the issue, but Gordon said the immediate priority was supporting customers and ensuring the sale continues to operate.
Oil prices cast cloud over highly anticipated sale
While the API was accessible, users could see their position in the waiting queue for entry in the R12 ticket competition.
We saw that more than 594,000 people were in the queue around 10:30, with likely thousands more taking part throughout the sale.
The usual excitement over the sale was subdued this year, as many South Africans who hoped to purchase tickets posted their disappointment on social media about prices exceeding R12.
This year, the airline said it was forced to add surcharges and taxes to the R12 ticket prices, driven by the international fuel crisis and jet fuel costs in South Africa.
“As a result, the fares this year are not R12 all-in as they were previously, but rather R12 excluding taxes and surcharges,” explained Gordon.
“It’s still an exceptionally strong deal, but we’re no longer in a position where we can effectively subsidise the taxes and fuel-related components of the ticket as well.”
According to a full breakdown of ticket prices, although the base ticket price is R12, taxes and surcharges can push prices over R1,183.
This can double if return tickets are also purchased, with one user posting online that their full ticket price went up to R3,647.32 for flights to and from Cape Town and Johannesburg.
In April, FlySafair explained that it adjusted the surcharge on tickets weekly to reflect fluctuations in fuel prices. It recently decreased the additional costs for two weeks in a row.
“The surcharge is not a revenue mechanism, it moves directly with our actual fuel costs,” said Gordon.
Screenshot of FlySafair chat board API leak
Loading ...