FlySafair’s much-hyped birthday sale took a serious turn on Wednesday after users’ private information was exposed during the airline’s R12 ticket promotion. The leak affected people using the sale portal and has now raised fresh questions about data security during one of the country’s busiest online travel events.

The exposed information included users’ full names, email addresses and IP addresses. The system also showed whether a person posting on the platform had won. The breach was linked to the bulletin chat feature on the sale site, which could reportedly be accessed through its API.

According to the details provided, the data remained accessible from the official start of the sale at 9am until the bulletin board was taken offline 1 hour and 39 minutes later. That means users taking part in the promotion were exposed during one of the busiest windows of the campaign.

Airline removes feature after being alerted

FlySafair was informed about the problem while the sale was live. The airline then moved to take down the chat API, and spokesperson Kirby Gordon said staff were actively working to shut the feature down. The airline later confirmed that the chat board was removed at 11:20 and said the exposed API data, including email and IP addresses, had been cleared.

Gordon said the airline would urgently review what went wrong with its technology partners. He described the incident as “entirely unacceptable” and said a full post-mortem would follow once the live sale environment had calmed down.

He added that the sale itself was not affected by the removal of the chat feature and that the rest of the process continued as normal. Still, the data leak is likely to overshadow what is usually a high-energy marketing event for the low-cost carrier.

New feature created a new risk

The bulletin board was a new addition to this year’s sale portal. In previous years, the site had pulled in a live feed from Twitter, now X. Gordon said the idea this year was to create something more controlled and engaging. Instead, it opened the door to a privacy problem at scale.

More than 594,000 people were reportedly in the waiting queue by around 10:30, with likely thousands more taking part throughout the day. That gives some sense of how many users may have interacted with the platform while the leak was active.

Ticket prices also spark frustration

The privacy issue landed on the same day many users were already venting frustration about the so-called R12 sale. This year, the base ticket price remained R12, but taxes and surcharges pushed actual costs far higher. FlySafair said the changes were driven by the global fuel crisis and higher local jet fuel costs.

The airline said taxes and surcharges could lift ticket prices above R1,183, with return bookings costing far more. For some customers, that took the shine off a promotion built around bargain fares. Now, with a data leak added to the mix, FlySafair faces two separate headaches from what should have been a celebratory sale.