Not that many planes are taking off these days, but that didn’t stop the flight of passenger records from servers belonging to aviation tech supplier SITA after it was hit by a "cyberattack".
In a public disclosure, the Swiss outfit confirmed it had last month fallen victim to a wide-ranging data security incident that ensnared passengers from some of the world’s largest airlines.
SITA told The Reg:
"As we are still in the process of informing all affected PSS customers (airlines) and all related organizations, we currently do not say more about the type of data that was compromised, nor do we confirm/disclose names of involved parties at this stage, other than airlines that have already gone out to their customers and the public about the incident, which are Jeju Air, (S. Korea), Malaysia Airlines, Finnair, Singapore Airlines, Air New Zealand, Lufthansa, Cathay Pacific, and Japan Airlines."
As the company hinted, this may not be an exhaustive list, and could lengthen as more airlines issue warnings to punters.
Per its own website, SITA has over 2,500 customers in the aviation industry, spanning 200 countries and territories. It also claims its tech is used in 90 per cent of “international destinations.”
SITA didn’t elaborate on the nature or extent of the attack, other than to describe it as “highly sophisticated but limited.” According to its own disclosure, the attackers obtained passenger records from servers hosted in an Atlanta, Georgia data centre operated by an American subsidiary.
It said: "The total period during which the cyber-attacker(s) were able to access SITA’s systems was less than a month. By global and industry standards, this cyber-attack was identified extremely quickly. The seriousness of the cyber-attack was identified on February 24th, 2021 – at which point SITA immediately began the process of notifying the affected parties."
Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jetREAD MORE
It’s not clear how many records were obtained, nor what they contained. One affected airline, Lufthansa, has written an email - seen by us - to customers.
"The data in question relates exclusively to service card numbers, status level and in some cases names. Unfortunately, your customer data is also affected. You can rest assured, however, that no passwords, email addresses or other personal customer data were stolen in the incident.
In a statement to The Reg, Lufthansa said: “We can confirm that between 21.1.2021 and 11.2.2021 there was a data incident at a service provider of a Star Alliance member. During the incident, hackers managed to enter the reservation system of an Asian airline, which is operated by the IT service provider.”
“Customer data from Star Alliance partners was accessed. Accordingly, customer data from Miles & More (Loyalty programme of Lufthansa Group) is also affected by this incident. It concerns data of approx. 1.35 million Miles & More members, primarily frequent flyers of the programme. Only Miles & More information on the service card number, the status level and, in some cases, the name of the member is affected. Passwords or other customer data such as e-mail addresses were not stored in the service provider's IT system and are therefore not affected by the incident.”
Airlines are an enticing target for digital ne’er-do-wells, in part thanks to the information they hold. Billing and biographical information can present a welcome payday for garden-variety cybercrooks, while state actors may target the aviation sector for intelligence-gathering purposes, or to strike a blow at another nation’s critical infrastructure. Compounding this problem is the industry’s reliance on legacy tech.
Cathay Pacific hack: Personal data of up to 9.4 million airline passengers laid bareREAD MORE
In 2018, Hong Kong airline Cathay Pacific fessed-up to a data breach that saw 9.4 million records accessed by unauthorised persons. The same year, hackers accessed data on 380,000 transactions with British Airways, with external scripts on its website fingered as the cause. This resulted in the airline initially being stung with a mammoth £183m fine from the UK's Information Commissioner’s Office. BA's fine was subsequently reduced, quite significantly.
Speaking to The Register, Nick McQuire, chief of research, enterprise at CCS Insight, said: “Following hot on the heels of the Solarwinds attack, once again, this incident serves as a timely reminder that these types of cyber events are not only growing in volume, but scale as well.”
He added: “SITA is a reputable, long-standing tech provider for the aviation industry and so are its key IT partners like Orange Business Services. But what it shows us is that no company is immune. This is especially the case in the current climate we’re in where cybercrime, ransomware and nation-state attacks are growing through the roof. For the hardest hit industries such as aviation, investment in modernising IT to improve the security environment is now rapidly becoming a business and board-level priority.”
Bug bounty platform HackerOne security engineer Shlomie Liberow said: "It’s not clear yet what the attack vector was in the SITA breach, but HackerOne vulnerability data shows that the aviation and aerospace industry sees more privilege escalation and SQL injection vulnerabilities than any other industry, accounting for 57 per cent of the vulnerabilities reported to these companies by ethical hackers.
Liberow added: "We’ve seen the aviation industry particularly hard hit over the past year, perhaps because criminals know they will be vulnerable and their focus and priorities on remaining in business," he said, noting that "few [airlines] are digital first businesses and therefore [they] have relied on legacy software, which is more likely to be out of date or have existing vulnerabilities that can be exploited." ®