Travel company OneFly has experienced a significant data breach, resulting in the exposure of thousands of sensitive records, including identification documents, flight numbers, and complete credit card details. The business-to-business global air ticketing service provider, which offers services to travel agencies and airlines, suffered this data leak over a period of several months, with the earliest entries dating back to October 1, 2025.
Severe Risks to Individuals and Businesses
The leaked information, which also includes passenger names and other personal details, could have a profound impact on individuals whose data was left unprotected. Identification documents, combined with other exposed information, could enable cybercriminals to steal victims' identities with alarming ease.
Exposed payment card numbers, flight details, and additional travel information can lead to substantial financial losses due to theft and travel scams. Moreover, this breach significantly increases the risk of sophisticated phishing attacks. Armed with the leaked data, attackers could convincingly impersonate travel agencies, further exploiting unsuspecting customers.
Technical Vulnerabilities Behind the Breach
The data leak originated from nine internal Java Spring Applications that were inadvertently broadcasting private data in real time through an Elasticsearch instance. Since this instance lacked password protection, anyone with the correct IP address could access the sensitive information without any barriers.
Additionally, the leak contained JSON Web Tokens (JWTs), which are digital credentials that could allow attackers to bypass security measures and access user accounts without requiring a password. According to a report by Cybernews, exposed internal user authentication tokens can be used for user impersonation to obtain more information from internal company systems, given that Elasticsearch regularly logs currently valid tokens.
Industry Context and Previous Incidents
This incident follows a similar data breach last year involving Vietnam Airlines, an airline that serves 20 million passengers annually. In that case, flight data such as flight numbers, passenger names, and details were leaked due to a third-party customer service platform operated by a global technology partner.
Vietnam Airlines responded by collaborating with cybersecurity experts, relevant authorities, and the third-party partner, confirming that critical data including payment information, passwords, travel itineraries, loyalty program balances, and passport details remained secure. The Daily Mail has contacted OneFly for comment regarding their breach, but a response has not yet been disclosed.
The exposure of such sensitive data underscores the ongoing vulnerabilities within the travel industry's digital infrastructure, highlighting the urgent need for enhanced cybersecurity protocols to protect consumer information from malicious actors.
