The aviation sector includes many industries ranging from airlines, airports, technology providers, subcontractors – all of which are prime targets for cyberattacks. Recently, there has been a clear increase in these attacks and their severity. Needless to say, airlines have access to very sensitive information and operate a critical component of infrastructure. Take travel documents, airlines have one thing that virtually nobody else has, and that’s passport information. According to Christopher Porter, chief intelligence strategist at FireEye, this can be explained by the fact that “air travel is high-dollar and time-sensitive and criminals have realized they can extract payment data from customers, who will have valuable credit cards to commit fraud with, or use ransomware to extort the airline.”
We’ve come up with a list of the top 5 cyberattacks in the industry over the last four years. The below list is based off the severity of the attacks, the financial impact, the number of stolen records, and other publicly-available information.
1. CATHAY PACIFIC AIRWAYS – 9.4M Breached Records, 2018
This incident is probably the most serious data breach in airline history to date. The attack affected 9.4 million Cathay Pacific passengers. In March 2018, the IT team detected suspicious activity. The company hasn’t given too many details on how the attack happened but stated that an ongoing IT operation had revealed unauthorized access to systems. According to the Information Commissioner’s Office, Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to access the data. The regulator also added that it found “a catalogue of errors” during the investigation, including back-up files that were not password protected, unpatched Internet-facing servers, use of operating systems that were no longer supported by the developer, and inadequate antivirus protection.
Later, Cathay Pacific said it knew the suspicious activity in March was actually a full-scale attack on its servers. According to the company, the attacks were “most intense” between March and May 2018 but continued after that. The stolen data included passport details, birth dates, frequent flier numbers, phone numbers and credit card information. In September 2018, Cathay Pacific began rolling out multi-factor authentication (MFA) across all users, in order to counter the sophistication and increase in cyberattacks in the aviation industry.
This seriousness of this cyberattack can be explained by its very nature: the number of people affected, the enormous amount of investigative work it required and the lengthy process of identifying the stolen data.
2. EASYJET – 9M Breached Records, 2020
The low-cost British carrier, EasyJet revealed in a press release published in May 2020 that the airline had fallen victim to a very sophisticated cyberattack four months earlier in January. The hackers gained access to the email addresses and travel information of about 9 million customers. According to the company, those directly affected have been notified. The airline promised its’ customers that their passport information has not been stolen. The verdict is still out as to why EASYJET waited 4 months to inform their clients of the attack.
The coup de grace for EasyJet was having to inform 2,208 customers that the cyber thieves purloined their credit-card information. The carrier claims to have done this, as well as having assisted the victims rectifying things.
Following the attack, 10,000 clients have engaged in a class-action lawsuit against EasyJet. The complaint was filed in May 2020 at the High Court in London. The law firm in charge is trying to convince as many customers as possible to join the lawsuit. The EasyJet group action is seeking up to £18 billion in damages, meaning each claimant could receive compensation of up to £2,000.
According to PGMBM law firm, the 10,000 people who have already joined the class action come from 50 countries throughout the world. “This was a monumental data breach and a terrible failure that had a significant impact on EasyJet customers,” notes Tom Goodhead, partner at PGMBM. “Customers should be able to trust that everything is being done to protect their privacy. Unfortunately, it appears that has not been the case here,” he said.
3. IT OPERATOR SITA – 2M Breached Records, 2021
Airline technology provider SITA confirmed on March 4, 2021 that its servers were breached in a cyberattack, affecting major airlines. According to the press release, the attack lead “to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers, which operates passenger processing systems for airlines”.
Hackers managed to penetrate SITA’s servers and accessed the Passenger Service System (PSS), which handles processes ranging from ticket booking to boarding. In a statement, the company said, “after confirming the severity of the data breach on February 24, 2021, SITA took immediate action to contact affected PSS customers and all related organizations.”
The affected airlines include Star Alliance and OneWorld members such as Air New Zealand, United, Singapore Airlines, SAS, Cathay Pacific, and Finnair. The total number of travelers affected remains unclear, but it be upwards of 2 million. Most of the victims were members of frequent flyer programs of airline groups. The stolen information includes program card numbers, the status level and, in some cases, the name of the customer. According to SITA, more sensitive details such as passwords and email addresses were unaffected.
4. BRITISH AIRWAYS – 400K Breached Records, 2018
British Airways admitted that the personal data of 429,612 customers and staff was stolen from its site over a 15-day period from August 21st to September 5th, 2018. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. At first glance, the infection method was nothing new as it was simply a hacked version of the Modernizr JavaScript library, infected with a malicious code called Magecart. This method is typical in cyberattacks involving banking data. On closer inspection, it turns out this may not be a classic attack.
The use of multiple javascripts programs managed by a third party makes the maintenance and security of the site more difficult. And yet, the impact of such an attack can be very serious, both in terms of financial loss and company image.
In the British Airways attack, the injection was carried out directly on the company’s servers. It went unnoticed despite the many monitoring systems in place. This undeniably takes cyber threats to a higher level.
An Information Commissioner’s Office (ICO) investigation found the airline was processing a significant amount of personal data without adequate security measures in place – subsequently, the Information Commissioner’s Office fined British Airways £20m for failing to protect the personal and financial details of more than 400,000 of its customers. ICO investigators also found that BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time. Addressing these security issues would have prevented the 2018 cyberattack, investigators concluded.
5. AIR CANADA – 20K Breached Records, 2018
Between August 22nd and 24th 2018, the personal information of some 20,000 Air Canada customers who used the airline’s mobile application was hacked. In an email to its customers, the company said the data “may have been accessed improperly” through a flaw in its smartphone software. According to the company, it appears no payment information was stolen.
As a result of the breach, Air Canada locked the accounts of all of its 1.7 million users until they changed their passwords. The application stores basic information such as the usernames, email addresses and phone numbers; all of which could have ended up in the hands of hackers.
More important personal information, such as rewards program account number, passport number, Nexus border program account number, frequent flyer number, gender, date of birth, nationality, passport expiration date, country of passport issuance, as well as country of residence, could potentially have been accessed if that data had been stored on the mobile app.
In the email, Air Canada also clarified that while the rewards program account number may have been stolen by hackers, the password to access the service was not stored on the mobile application and was therefore not at risk.
“Your privacy and the protection of your data are extremely important to Air Canada,” the airline said. “Our security is multi-layered, and we work with leading industry experts to continuously improve our practices as technology and security procedures evolve.”
Airlines throughout the world are developing increasingly sophisticated and comprehensive apps to make the passenger-travel experience easier. These apps can help track flight information, purchase upgrades and access digital-boarding passes. However, the hits just keep on coming in that each new app brings on new cyber risks with which most companies are unprepared to deal.
In recent years, airlines have been rushing to digitalize. All major airlines now have increasingly sophisticated apps and rely on technology more and more. This is great for user-friendliness and overall passenger experience but can put personal data at risk. Cyberattacks are costly to the airlines. A simple glitch can ground an aircraft or even stop all operations in an affected airport. Furthermore, customers want to trust the airline to whom they give their personal information. A data breach can heavily damage an airline’s reputation. In fact, according to a SITA survey, only 35% of airlines and 30% of airports see themselves as properly protected from these cyber risks. If the aviation industry is to catch up with its peers, cybersecurity performance management (CPM) will be the key to their security improvements. CPM provides valuable insight that allows you to chart the path from “where we are” to “where we need to be.” As things stand, there’s still a lot work to be done when it comes to cybersecurity and securing passengers’ data in the aviation industry.
