Cyber incidents affecting airlines
Some North American airlines have issued statements regarding cyber security incidents in recent days. There is currently no evidence to suggest that these incidents are connected but these examples highlight the prevalence of such activity:
- Virgin airlines detected unauthorised 3rd party access to their databases containing employee and contractor data in March 2017, including corporate credentials. In addition, over 100 individuals may have had further details such as social security numbers, driving licences and health related information stolen.
- A hacker claims to have obtained information on over 11 million Spirit Airline customers. The airline notified customers of an incident whereby details including passwords, dates of birth, phone numbers, addresses and email addresses were published online. Spirit stated that the data was acquired from a breach unrelated to the airline. The hacker contacted media organisations claiming to have discovered a vulnerability and attempted to alert the airline. When the airline did not respond they posted the details online. Spirit Airlines claim the individual issued a ransom demand for the data and that it appears to be a collection of details from previous data breaches.
- WestJet airlines have informed customers that an unauthorised 3rd party disclosed Reward members profile information online, although they state that this did not include payment card details.
Airlines collect a significant amount of customer data and as such can be an attractive target for malicious actors. Vast supply chains and the move to online administrative systems increase the potential cyber threat if such vulnerabilities are not properly managed. Password security features in several of the incidents; for NCSC password guidance please see here.