A Software Engineer “Hacks” An Airline Website To Find His Lost Luggage

What would you do when your luggage gets misplaced and you get no help from the airline or its customer service? I am sure this happens a lot, just that we don’t get to hear it frequently.

Well, one incident happened to a 28-year-old software developer, Nandan Kumar, and a network engineer, Raj Shekhar, the passengers on the IndiGo flight from Patna to Bangalore in India, where they accidentally walked away with the wrong bags. The bags looked similar, with the same colour and model from the same brand, hence the confusion.

Just to give you a perspective, IndiGo is the largest airline in India by passengers carried and fleet size. They have over 53.5% of the domestic market share as of October 2021.

Nandan Kumar(Left) and Raj Shekhar(Right) had walked away with the wrong bags. Image from Twitter

Nandan was travelling with his wife. When the couple were going to their apartment in Bangalore, Nandan’s wife noticed a lock on the luggage which neither of them had put there.

“I realised it only after I reached home when my wife pointed out that the bag seems to be a different from ours as we don’t use key based locks in our bags.
PS: We have too much faith in airline staff 😝😝
So right after reaching home I called your customer care.”

Nandan Kumar in a twitter thread

When Nandan tried calling the airline’s customer service, he was told that the airline had contacted the other person (Raj), and he didn’t answer the call. Nandan asked if they could share Raj’s contact details, which the airline declined, citing data privacy issues.

Nandan decided to take the matter into his own hands after receiving no help from Indigo’s customer service.

Using the PNR (Passenger Name Record) number and last name of his co-passenger, which were written on the luggage tag, and his “developer skills,” he claims he was able to get Raj’s contact number from “the browser network response on the airline’s website” in 10–15 minutes and also see addresses.

He called up Raj, who did not know his bag had been exchanged. They met that afternoon to exchange their bags.

The process not only helped him find his lost luggage but also led to him discovering an apparent loophole in IndiGo’s system that allowed for a data break.

Nandan later tweeted about his “hacker” moment and pointed out the technical vulnerability in the airline’s system.

Nandan’s Twitter thread about the whole incident

The airline responded in its official statement that they were sorry for the inconvenience caused and assured that the website had no security lapses but the feedback is duly noted and will be reviewed.

The airline also said that any passenger can retrieve their booking details using their PNR, last name, contact number, or email address from the website. That’s the norm practised across all airlines systems globally.

Although I am not sure if Nandan will get any bounty for this or not, one thing is certain: self-reliance is the only way out.


If you enjoyed reading this, you might also find the below articles worth your time.

Leave a Comment

Your email address will not be published.