After a flight on the low-cost IndiGo airline, Nandan Kumar, a 28-year-old software engineer, determined that another passenger had accidentally taken Kumar's bag from the baggage claim belt. (As the sign says, "Many bags look alike.") He found the passenger's PNR ("passenger name record" code) on their bag and called IndiGo to ask for contact information. The airline refused, citing privacy policies, and said they'd reach out to the passenger. Kumar didn't hear back so he took matters into his own hands. From the BBC:
He started digging into IndiGo's website using his co-passenger's PNR, in the hope of finding an address or a phone number.
He tried various methods – using the check-in process, by editing the booking and updating the contact. But none of it worked.
"After all failed attempts, my developer instinct kicked in and I pressed the F12 button on my computer keyboard and opened the developer console on the IndiGo website," Mr Kumar said. "I thought 'let me check the network logs'."
What he found was surprising – his co-passenger's phone number. "To be frank, I only checked for a phone number or an email. Basically anything I could use to get in touch to retrieve my bag."
He says, however, that the system's data should have been encrypted, adding that it allowed anyone to access private information.
"A PNR and a last name is very easy to get. People share their boarding passes. Anyone can see your bags, take a picture and later use it get your information," Mr Kumar says.
The two met and exchanged bags. A happy ending, indeed. And what did IndiGo have to say: They are ""reviewing this case in detail and would like to state that our IT processes are completely robust." Obviously.