All of the big data breaches in the UK aviation industry

Airlines are the perfect targets for large scale cyber-attacks because they collect and process vast amounts of passenger personal data on a daily basis. This data will range from their names, email addresses and phone numbers to highly sensitive data such as passport numbers, credit card details and travel plans.

This is also the case for airports, such as Heathrow airport which sees on average almost 220,000 passengers pass through every day and suffered a major data breach.

The sheer volume of passenger traffic makes the aviation industry a goldmine for hackers, and as GDPR and other data regulations with a global reach such as the CCPA are bringing in much higher data protection standards, leaders in the aviation industry are racing to adequately safeguard their data protection systems.

In this blog we'll take a look at four major data breaches which affected UK passengers, and were investigated by the UK’s data protection watchdog, the Information Commissioner’s office (ICO).

The British Airways 2018 data breach

In 2018 nearly 400,000 British Airways customers had their personal data breached when cyber-criminals attacked the airline’s databases. The data breach included personal contact information and credit card details – highly sensitive data that put consumers at risk.

The Information Commissioner’s office fined BA an astonishing £138,000,00. This was the largest ever fine to be issued under GDPR in the UK, amounting to 1.5% of BA’s annual global turnover. British Airways were stunned by the scale of the fine, and said they were 'surprised and disappointed' with the action the ICO had taken.

UK Law firms PGMBM at the time known as SPG Law, and Your Lawyers Limited, are representing 5,300 customers in a group litigation claim which works on an opt in basis.

Journalist Chris Stokel-Walker from Wired argued that poor IT infrastructure cause the BA data breach, and that it could have been easily avoided.

The breach occurred over a period of three months. Users who were booking flights with BA at this time were re-directed to a fake website that gathered their personal information. The real failing here was concentrated in a lack of safeguarding in BA’s online payment services.

Hackers, a group called Magecart online, were able to access the private information of over half a million people through a vulnerability in third party JavaScript used by the BA website.

Andrew Dyer, a cybersecurity researcher at Oxford University told Wired that as a singular error within a third party script, the vulnerability that was exploited by hackers should have been detected through monitoring:

'However, that it was not found for so long and that script had not been updated suggests a more systemic issue of IT governance at BA – meaning it is unlikely this is an isolated vulnerability. Effective monitoring would have picked up this quickly – not the three months it took BA’.

This, he argued, is why the enormity of the fine imposed by the ICO was justifiable.

EasyJet data breach

In May of this year EasyJet announced that the personal data of 9 million customers had been breached in a 'highly sophisticated cyber attack'.

The airline first became aware of this attack in January 2020, and that customer data including travel details, contact details and email addresses were illegally accessed.

Now easyJet is facing a group legal claim brought forward by 10,000 affected customers, making this case one of the biggest group actions in response to a data breach in the UK.

A further investigation found that, beyond the information easyJet admitted to being breached in the claim, the credit card details of 2,200 customers were also breached in the attack.

The law firm PGMBM managed the group action against easyJet, with managing partner Tom Goodhead calling the case, 'a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers.'

Experts believe that easyJet could face fines that will run into tens of millions for breaching GDPR. Further still, the damages awarded in the group litigation case could add up to as much as £18bn.

EasyJet did not notify the ICO of the breach when they became aware of it within the 72 hours as data controllers are supposed to under GDPR. The airline claimed that this was because they needed time to understand the complexity of the attack.

It is expected that the ICO will not accept this reasoning, and that easyJet will face a harsher fine due to this violation of GDPR. This is an expensive mistake to make, particularly when the financial repercussions of this data breach come at a time when easyJet are already cutting 30% of their workforce due to the upheaval caused by the coronavirus pandemic.

EasyJet did not announce how the attackers managed to conduct their hack, however they did say that they believe the perpetrators were after company intellectual property and stole customer data as an afterthought.

Heathrow Airport data breach

In 2018, Heathrow Airport was fined £120,000 by the Information Commissioner’s Office for what they determined to be 'serious' data failings.

Heathrow’s data leak was the result of the individual misconduct of one employee. A member of staff misplaced a USB stick in 2017 containing the 'sensitive personal data' of customers.

Heathrow has said that it regrets the breach, and that the memory stick, which contained 76 folders with more that 1,000 files was not encrypted or even password protected. They claimed that the sensitive information of only ten people (which included names, dates of birth and passport numbers) was leaked. Staff information was also breached, including that of 50 security personnel.

The British media played a large role in this case – it was the Sunday Mirror who alerted Heathrow about the breach. This report by the Mirror suggested that when the man who found the USB stick and plugged it into a public library computer, he saw the exact travel plans of the Queen of England, as well as a map pinpointing CCTV camera and escape shafts in Heathrow Airport. The paper argued that this was highly sensitive information and the breach could have posed a national security risk, even more so as the leak happened only weeks after the Parsons Green Tube bombing.

The ICO did not confirm whether or not all of this information was indeed breached, however they did levy a hefty fine under GDPR regulations. The ICO pointed out that only 2% of Heathrow’s 6,500 workforce had been trained in data protection.

Heathrow Airport says that necessary protection measures have since been implemented.

Cathay Pacific airline data breach

Cathay Pacific, the flag carrier airline of Hong Kong was charged £500,000 by the UK’s ICO due to the impact of an international data breach on UK customers, which was issued this year following an extensive investigation.

9.4 million customers were impacted globally, 111,578 of whom were from the UK.

The breach occurred in March 2018, and the ICO in particular asked why it took Cathay Pacific six months to publicly disclose that a breach had occurred.

Cathay’s inability to secure their data systems resulted in passengers' personal details being illegally accessed including: names, passport and identity details, dates of birth, postal and email addresses, contact details and travelling history.

The UK’s data regulator said that “Cathay Pacific systems were entered via a server connected to the internet and malware was installed to harvest data”, however the ICO also stated that they uncovered a catalogue of errors in how data was being handled.

This included backup files that were not password protected, unpatched internet-facing servers and the use of out of data operating services.

Then director of the ICO Steve Eckersley said that the fine was justified because “this breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hacker.”

Cathay Pacific said in response to the ICO’s investigation and resulting fine that they “co-operated closely with the ICO” and that though no personal data had been misused in this case, as “the sophistication of cyber-attacks continues to increase”, they will ”continue to invest in and evolve IT security systems.”

In conclusion:

Airlines cannot make their systems bulletproof and stop all malware from getting in, but through regular monitoring and the hiring of cybersecurity staff they can negate many of the threats cyber criminals pose.

When passenger’s provide their details to airports and airlines they should be able to do so in the secure knowledge that their data is being protected, and used solely for legal purposes. As cyber criminals evolve their hacking methods and malware becomes harder to detect, airlines must too evolve their data protection measures, and alert the ICO when a breach has occurred.

Delete your data from all airlines