From ticket purchasing, baggage handling, operational workflows, to even in-flight entertainment, airlines operate as multilateral systems of technology and transportation services merged into one. The operational efficiency that software provides also comes with great risk, as airlines are increasingly vulnerable to cyberattacks that threaten critical operational data, passenger information, and business continuity.
Airlines Under Siege: Recent, High-Profile Data Breaches
Recent, high-profile breaches of cybersecurity protocols within the major airlines raised some pressing concerns regarding the digital infrastructure security within the airline industry. They emphasize the need for a systemic shift to comprehensively secure the digital landscape.
Air India Data Breach ( March 2021): Stemming from a security vulnerability in Air India’s Passenger Service System (PSS) managed by SITA, a major data breach occurred securing over 4.5 million passengers’ personal details. Details like name, passport numbers, and tickets, alongside frequent flyer details were amassed, showcasing the massive dangers third party data handlers can pose.
EasyJet Data Leakage (May 2020): An easyJet breach in 2020 exposed the email addresses and travel details for nine million customers. This breach could have resulted from software bugs, API bugs, external systems such as interface software being inadequately monitored, or other gaps where security defensive processes could be improved.
Cathay Pacific Data Breach (October 2018): Cathay Pacific experienced a sophisticated data breach for a period of over four years. Cybercriminals exploited control flaws caused by inadequate network segmentation coupled with outdated and unpatched system defenses, leading to the unauthorized access of personally identifiable information of over 9.4 million passengers including full names, nationalities, travel itineraries, and passport numbers.
British Airways Magecart Attack (August 2018): British Airways suffered a Magecart attack, a form of web skimming where unsafe javascript is inserted into webpages and mobile app. The attackers loaded stale payment page libraries and in addition to BAs ancient broken third-party payment gate the attackers also harvested private and credit card details of 380,000 customers.
The Weak Link: Outdated Systems and Dependencies
A distinctive pattern is evident because of these ‘incidents’: airlines routinely try to maintain and repair their sophisticated software systems. Their IT infrastructures have developed over time and become more and more complex due to a multitude of third party parts. While these pieces have added services and functionality, they are increasingly becoming more complex system wide. These automated systems are complex and can be difficult to keep up with, which in turn can postpone critical updates and patches, leaving them susceptible to cyber threats.
Proactive Defense: Strengthening Airline Cybersecurity
As highlighted in the report, an industry expert Andrii Paramonov, aviation practice lead at Sigma Software Group, suggests taking a proactive approach by adding more layers to the airline cyber security system in order to mitigate risks. In his professional opinion, this focus should go towards:
Protective Measures by Defining Principles of Secure Coding and Implementing Static Application Security Testing (SAST): This involves analyzing the source code at an early stage in the product lifecycle to detect any possible security vulnerabilities. Early detection minimizes the risk of security vulnerabilities being inadvertently incorporated into production systems.
Conducting Regular Audits and Maintenances on External Dependencies SOW using Security Composition Analysis (SCA): Potential threats due to obsolete or malicious code from external elements/third party dependencies can be mitigated by regularly maintaining and updating all software components through audit processes.
Application of Vendor Management Policies with SBOM Requirements: Having vendors submit a Software Bill of Materials (SBOM) allows the organization to address any issues related to vendor supplied software components in a timely fashion.
A Call to Action: Gaining Perspective of Your IT Ecosystem
As it relates to cyber defense in the airline sector, understanding and having detailed visibility of everything in the airline’s IT ecosystem is foundational, according to Paramonov. Airlines need to have complete and detailed inventories of all software applications, hardware, and network assets to identify and remediate possible security weaknesses.
Conclusion: Proactive Approach is the Undeniable Focus
The airline industry enduring numerous public data breaches has been the industry’s face slap moment. Airlines need to defend their infrastructure and data alongside safeguarding their passengers through advanced cyber strategies so the systems are continuously strengthened and not just constantly patched.
