Don't let airlines crash your data

The airline industry gets heavily targeted by hackers because of the extensive amounts of customer data they hold.

In 2020, British Airways was fined £20m following a data breach which saw the personal details of around 400,000 customers taken by the hackers. In February 2021 airline technology provider SITA was hit by a cyberattack targeting passenger data in its Passenger Service System servers. A few months later, the personal data of thousands of employees of the Dutch airline KLM were leaked due to a data breach at pension provider Blue Sky Group.

In June this year American Airlines and Southwest Airlines had data compromised by the hack of a third party software company which gave away names and social security details of pilots and cadet applicants. The airlines issued warnings to staff to watch out for possible cases of identity theft.

Airlines collect and process vast amounts of passenger personal data on a daily basis. This data will range from their names, email addresses and phone numbers to highly sensitive data such as passport numbers, credit card details and travel plans.

This is also the case for airports, such as Heathrow airport which sees on average almost 220,000 passengers pass through every day and suffered a major data breach.

The sheer volume of passenger traffic makes the aviation industry a goldmine for hackers, and as GDPR and other data regulations with a global reach such as the CCPA are bringing in much higher data protection standards, leaders in the aviation industry are racing to adequately safeguard their data protection systems.

The British Airways data breach

In 2018 nearly 400,000 British Airways customers had their personal data breached when hackers attacked the airline’s databases. The data breach included personal contact information and credit card details, putting consumers at risk.

User traffic from the BA website was diverted to a fraudulent website which then harvested customers details including CVV and card numbers, as well as employee usernames and passwords. The fraudulent activity took place between 21 August to 5 September 2018 without interrupting the usual BA booking and payment procedure. The ICO found that BA were processing huge volumes of personal data with inadequate security measures in place to protect consumers and employees alike against the unauthorised or unlawful processing, accidental loss, destruction or damage of their personal data.

Initially the ICO fined BA an astonishing £183,000,000. This was the largest ever fine to be issued under GDPR in the UK, amounting to 1.5% of BA’s annual global turnover. British Airways were stunned by the scale of the fine and they successfully reduced it to £20m - still the largest fine to be handed down by the ICO.

Journalist Chris Stokel-Walker from Wired argued that poor IT infrastructure caused the BA data breach, and that it could have been avoided easily.

The hackers, a group called ‘Magecart online’, were able to access the private information of BA customers through a vulnerability in third party JavaScript used by the BA website.

Andrew Dyer, a cybersecurity researcher at Oxford University told Wired that as a singular error within a third party script, the vulnerability that was exploited by hackers should have been detected through monitoring.

He went on to say, “However, that it was not found for so long and that script had not been updated suggests a more systemic issue of IT governance at BA – meaning it is unlikely this is an isolated vulnerability. Effective monitoring would have picked up this quickly – not the three months it took BA”.

EasyJet data breach

In May of 2020 EasyJet announced that the personal data of 9 million customers had been breached in a 'highly sophisticated cyber attack'.

The airline first became aware of this attack in January 2020, and that customer data including travel details, contact details and email addresses were illegally accessed.

Now easyJet is facing a group legal claim brought forward by 10,000 affected customers, making this case one of the biggest group actions in response to a data breach in the UK.

A further investigation found that, beyond the information easyJet admitted to being breached in the claim, the credit card details of 2,200 customers were also breached in the attack.

The law firm PGMBM managed the group action against easyJet, with managing partner Tom Goodhead calling the case, “a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers.”

Experts believe that easyJet could face fines that will run into tens of millions for breaching GDPR. Further still, the damages awarded in the group litigation case could add up to as much as £18bn.

EasyJet did not notify the ICO of the breach when they became aware of it within the 72 hours as data controllers are supposed to under GDPR. The airline claimed that this was because they needed time to understand the complexity of the attack.

It is expected that the ICO will not accept this reasoning, and that easyJet will face a harsher fine due to this violation of GDPR. This is an expensive mistake to make, particularly when the financial repercussions of this data breach come at a time when easyJet are already cutting 30% of their workforce due to the upheaval caused by the coronavirus pandemic.

EasyJet did not announce how the attackers managed to conduct their hack, however they did say that they believe the perpetrators were after company intellectual property and stole customer data as an afterthought.

Heathrow Airport data breach

In 2018, Heathrow Airport was fined £120,000 by the Information Commissioner’s Office for what they determined to be 'serious' data failings.

Heathrow’s data leak was the result of the individual misconduct of one employee. A member of staff misplaced a USB stick in 2017 containing the 'sensitive personal data' of customers.

Heathrow has said that it regrets the breach, and that the memory stick, which contained 76 folders with more that 1,000 files was not encrypted or even password protected. They claimed that the sensitive information of only ten people (which included names, dates of birth and passport numbers) was leaked. Staff information was also breached, including that of 50 security personnel.

The British media played a large role in this case – it was the Sunday Mirror who alerted Heathrow about the breach. This report by the Mirror suggested that when the man who found the USB stick and plugged it into a public library computer, he saw the exact travel plans of the Queen of England, as well as a map pinpointing CCTV camera and escape shafts in Heathrow Airport. The paper argued that this was highly sensitive information and the breach could have posed a national security risk.

The ICO did not confirm whether or not all of this information was indeed breached, however they did levy a hefty fine under GDPR regulations. The ICO pointed out that only 2% of Heathrow’s 6,500 workforce had been trained in data protection.

Heathrow Airport says that necessary protection measures have since been implemented.

Cathay Pacific airline data breach

Cathay Pacific, the flag carrier airline of Hong Kong was charged £500,000 by the UK’s ICO due to the impact of an international data breach on UK customers, which was issued this year following an extensive investigation.

9.4 million customers were impacted globally, 111,578 of whom were from the UK.

The breach occurred in March 2018, and the ICO in particular asked why it took Cathay Pacific six months to publicly disclose that a breach had occurred.

Cathay’s inability to secure their data systems resulted in passengers' personal details being illegally accessed including: names, passport and identity details, dates of birth, postal and email addresses, contact details and travelling history.

The UK’s data regulator said that “Cathay Pacific systems were entered via a server connected to the internet and malware was installed to harvest data”, however the ICO also stated that they uncovered a catalogue of errors in how data was being handled.

This included backup files that were not password protected, unpatched internet-facing servers and the use of out of data operating services.

Then director of the ICO Steve Eckersley said that the fine was justified because “this breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hacker.”

Cathay Pacific said in response to the ICO’s investigation and resulting fine that they “cooperated closely with the ICO” and that though no personal data had been misused in this case, as “the sophistication of cyber-attacks continues to increase”, they will ”continue to invest in and evolve IT security systems.”

Increasing sophistication

The airline industry needs to get on the front foot when it comes to protecting data against hackers. The criminals are rapidly becoming more sophisticated

The SITA incident in 2021 and BA’s problem in 2018 show that airlines should focus not only on the security of their own network, but also on the security of their suppliers and partners. The airline industry should continually review security measures and procedures with their suppliers so that third party vulnerabilities are not exploited. Also, airlines should scrutinise the purposes for which data is shared with partner airlines and minimise the sharing of data to only what is relevant and necessary.

What can you do?

If your data is held by an airline, it can be stolen by hackers if they are able to break into the airline’s systems. If they get your data, you can become vulnerable to scams and even identity theft. So the best way to prevent that is to get your data deleted from the airline’s systems long before a hacker can get to it. Rightly Protect is our product that can help you find out which companies have your data and then get it deleted from those that don’t need it any more, quickly and for free.