FlightAware says misconfigured server exposed customers' sensitive personal data

American flight tracking company FlightAware said a misconfiguration in one of its servers resulted in the exposure of sensitive personal information of its customers.

The Houston, Texas-based multi-national company provides real-time, historical, and predictive flight tracking data to its customers. It is considered as one of the world’s largest flight tracking platforms alongside FlightRadar24 and Flightstats.

In a filing with the Office of California Attorney General, FlightAware said that on July 25, it identified a misconfiguration in one of its servers. The company immediately launched an investigation to understand the scope of the incident.

The investigation revealed that the server misconfiguration exposed the sensitive personal information of the company’s customers. The compromised data included names, Social Security Numbers, billing addresses, shipping addresses, IP addresses, social media accounts, telephone numbers, year of birth, user IDs, passwords, email addresses, last four digits of credit card numbers, information about aircraft owned, industry, title, pilot status and account activity (such as flights viewed and comments posted).

“Once we discovered the exposure, we immediately remedied the configuration error. Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password. You will be prompted to do so at your next log-in to FlightAware,” FlightAware said. The flight tracking platform says it has about 12 million registered users.

FlightAware has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general.

It has also offered two years of complimentary identity protection and credit monitoring services through Equifax to all affected individuals.