Airline Industry Braces for Breach Impact

January 3, 2019

When most people think of commercial aviation and security, they likely conjure up images of long lines of people shuffling along with their shoes off, plastic bins in hand. But lately a different kind of security has been making headlines when it comes to airlines.

In October 2018, Cathay Pacific announced that up to 9.4 million passengers had their data stolen as a result of a data breach that occurred in March. According to the airline, passport information, including names, card numbers, and dates of birth may all have been compromised, as well as details about where each passenger had travelled. The airline says there is no evidence personal information was misused.

The Cathay Pacific incident is only the latest example of a high-profile data breach affecting a major airline this year.

In August, Air Canada said it had “detected unusual log-in behavior” on its mobile app. Days later, it confirmed a data breach that it said could affect 1 percent of its app users – about 20,000 people. In an email to customers, the airline disclosed that hackers may have accessed everything from basic profile data – names, emails and phone numbers – to more sensitive data such as passport numbers and dates of birth. Some credit card information was also accessed, though the airline said none of the data was actually at risk.

That was followed in September by British Airways revealing that a data breach impacted some 380,000 booking transactions. Sensitive financial information, including credit card numbers, expiration dates and CVV codes, were all compromised, as well as passenger names, addresses, and email addresses, according to the airline. Threat detection firm RiskIQ has linked a criminal hacking gang known as Magecart to the intrusion.

And earlier this year, Delta Airlines admitted that customer data was stolen after a security lapse at one of its third-party customer support service vendors.

So why are airlines suddenly finding themselves prime targets for hackers?

There is no short answer here, but it is clear that while airlines have become increasingly dependent on technology for both internal processes and customer-facing applications, they have been slow to embrace the level of security needed to protect those systems. For example, in recent years, airlines have encouraged travelers to use mobile apps for things like tracking flights and accessing digital boarding passes. But as an unintended consequence, this convenience has introduced new cyber risks that airlines never had to worry about before. In addition, airlines have increased their dependency on third-party software and various B2B software services to deliver rapid value to their customers. Not knowing the overall “security posture” of their software supply chain has turned out to be very costly for the airlines and their customers.

However, the problem isn’t limited only to mobile apps. According to the yearly “State of Application Security” research conducted by WhiteHat Security, more than one-third of all applications in the transportation industry are always vulnerable.

To lessen the risk of further data breaches occurring, the aviation industry as a whole must change the way it approaches security. Instead of thinking about “what we need to secure,” airlines should focus on “who we need to secure.” In other words, airlines need to model their security endeavors around the hundreds of thousands of customers who trust them to protect the private information they are required to share in order to fly.

Furthermore, every single company that touches sensitive data – not just the airlines themselves – needs to make security a consistent, top-of-mind concern and view the entire IT estate as a vulnerable asset that needs to be secured. This means protecting all potential points of entry, including APIs, network connections, mobile apps, websites and databases.

Most importantly, to avoid hacks and the negative business impact of shutting down millions of users to stop them, it is imperative for airlines and other travel industry companies to take a proactive approach to application security. This means testing all software assets – whether web, mobile or APIs – throughout their development lifecycle. Providing adequate and appropriate training and education and fostering meaningful collaboration between Development and Security teams is also important as it helps them better understand and prioritize how to mitigate risk.

It’s not a stretch to say that comprehensive security testing and training along with continuous assessment of production assets could make such massive breaches a thing of the past.

Of course, there are also things the traveling public can do to protect themselves when a data breach occurs. The first thing travelers should do is immediately change their password on the affected airline’s app and ensure they are not using the same password for other sites and apps. At the very least, consumers should use a variety of passwords to minimize the impact. Turning on two-factor authentication for any app that supports it is also a good idea.

That said, the onus is on the aviation industry to address this problem, and these recent data breaches should serve as a wake-up call. For all intents and purposes, today’s airlines are tech companies, and they need to implement security as such.

While airlines deserve credit for employing cutting-edge technology in creative ways to increase convenience for travelers, they must also take accountability for “digital safety” of their customers as seriously as they take aviation safety.

Setu Kulkarni is vice president, corporate strategy, for WhiteHat Security. He is responsible for WhiteHat’s business strategy & development activities spanning M&A, new business partnerships and technology alliances.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.