Flight tracking site FlightAware has blamed a “configuration error” for exposing a raft of personal information of its customers, including some of their Social Security numbers.
The company, which claims to be one of the largest aggregators of flight data, said in a notice on its website that it identified the unspecified error on July 25, which exposed names, email addresses, and more, depending on what information users provided to the company.
FlightAware said the exposed data includes “billing address, shipping address, IP address, social media accounts, telephone numbers, year of birth, last four digits of your credit card number, information about aircraft owned, industry, title, pilot status (yes/no), and your account activity (such as flights viewed and comments posted).”
In a separate notice with California’s attorney general’s office, FlightAware said that its investigation found passwords and Social Security numbers were also exposed.
As a result, the company said it’s requiring all affected users to reset their account passwords. FlightAware does not say in the notice whether customers’ stored passwords are scrambled or to what extent.
The notice filed with the state says the breach dates as far back as January 2021, over three years ago.
The company’s description of a configuration error implies a mistake on the company’s part, rather than a malicious cyberattack.
While FlightAware concedes that customer data was exposed, it’s not known if anyone accessed or exfiltrated the data, or if the company has the technical means, such as logs, to determine if anyone downloaded the customer data.
FlightAware spokesperson Kathleen Bangs did not respond to requests for comment, nor say how many customers are affected.
FlightAware says on its website that it has more than 10 million monthly users.