Lessons from Airlines IT Provider SITA’s Data Breach
Airlines around the world are focused on improving operational efficiency and enhancing passenger experience as they resume services in a post COVID-19 world. In the process however, they are increasingly being targeted by highly sophisticated attacks. The latest target was aviation IT company SITA that suffered a “highly sophisticated” attack on its IT systems, in which passenger data from multiple airlines around the world was compromised.
SITA essentially provides IT services to the aviation industry around the world, including to airlines, airports, and ground handlers, SITA and serves roughly 90% of the world’s airlines. A data breach at potentially means the frequent flyer details of millions of travelers were compromised.
It was reported last week that the cyber attack targeting frequent flyer data has affected at least 11 airlines around the globe, including Cathay Pacific, Japan Airlines, Lufthansa, Malaysia Airlines, Singapore Airlines, American Airlines, among others.
SITA reported that passenger details stored on its servers, and some of that data may have been accessed, though the company said that for the most part no passwords or payment methods were compromised, but rather this seems to center mostly around names, frequent flyer numbers, and elite status.
This is however not the first-of-its-kind incident in the aviation industry, as Kelly Sheridan points out in her recent article Buckle Up: A Closer Look at Airline Security Breaches, it wasn’t the industry’s first and it won’t be the last because, “airlines and airports are hot targets for cyber attackers, whose motivations range from financial and identity theft to cyber espionage.”
So, why have airlines become prime targets for hackers? One obvious reason is that Airlines collect enormous volumes of passenger data, including credit card information and passport numbers, from their reservation and scheduling systems and frequent flyer programs.
According to Sheridan, “For attackers hoping to cash in on sensitive data, the aviation industry is a gold mine and as the risk of suffering a data breach rise, so does the risk of failure to comply with PII/PCI regulations and tougher data protection laws such as GDPR.”
Deploying technologies such as in-flight entertainment and Wi-Fi connectivity systems increase the attack surface by expanding the number of targets attackers can use to gain access to systems and the data stored on them. Besides, the growing adoption of IoT devices to perform functions such as increasing fuel efficiency and automating repairs, as two key avenues that create new vulnerabilities.
Complexity is another ingredient and definitely a challenge as avionic software may have between 100 million and 1 billion lines of code. As a consequence, software verification represents an important cost and certification is a not a quick process, Jose Monteagudo, CEO, Smartrev Cybersec, mentioned in a recent post.
Also like most other industries, airlines also face the cybersecurity talent shortage, which makes it difficult to hire the cybersecurity experts they need. According to a recent report, the global shortage of cybersecurity experts has reached 2.93 million, posing a growing risk to businesses worldwide struggling to find, hire and retain skilled employees.
Referring to the data breach, Boris Cipot, Senior Security Engineer, Synopsys Software Integrity Group said, “The most concerning aspect of this data breach is the broad scope of the attack. In this case, the breach did not happen as a direct attack on the Airlines, but as a breach to their IT provider.”
According to Cipot, “Lesson which organizations can take away from this scenario is to create security rules and procedures, not only for internal stakeholders but also for their partners in the supply chain. This means taking the software and service provider processes into consideration when discussing a partnership and defining what security measures will be implemented.”
Florian Thurmann, Technical Director, EMEA, SSIG added many organizations don’t see the full picture of what their third-party vendors do with their critical data and systems. For example, if a vendor uses a shared account to access your corporate network, your organization won’t be able to determine which of their employees has made a given change in the system. This lack of visibility, control, and security insight leaves a critical blind spot. Every organization has the responsibility to ensure their software supply chain vendors meet your cybersecurity policy requirements.
Protecting today’s complex infrastructure requires a fundamental change in how the industry approaches security. As we’re seeing in the recent case with SITA, even when a data breach takes place within a vendor’s systems, it’s the responsibility of the airline to ensure the privacy of their customers’ data. This isn’t only the case for airlines, but for organisations across all industries. For this reason, it’s critically important that both vendors and organizations work in collaboration with one another and build a sound security ecosystem.