The airline industry, by its very design, is at the forefront of technology. From online ticket processing to routing to maintenance and engineering, the industry makes use of all manners of technology. Travelers can book tickets from their smart devices; pilots can obtain routing, fuel, and passenger manifests on their company-issued devices; reservations are handled entirely by machines. What does all this “new” technology mean for cyber and data security? Well, it certainly means an expansion of the attack surface, making each device a potential attack vector. It also makes each system user more vulnerable, as airlines tend to be an attractive target for hackers given the volume of monetizable data that is collected and stored. Steve Mikhlin, an Executive Director at Morgan Stanley and graduate of the Certified Cyber Insurance Specialist training course, has created a comprehensive breakdown of cyber risk in the airline industry.
PII boosts Cyber Risk in the Airline Industry
Of the thousands of hacking attempts on the industry made by cyber criminals every hour, a 2018 attack on Cathay Pacific stands out. In that successful attack, hackers were able to use malware to gain access to the personally identifiable information (PII) of 9.4 million passengers.
The breach included highly coveted records such as:
- Names
- Nationalities
- Birth dates
- Phone numbers
- Addresses
- Passports
- Identity card numbers
- Expired credit card numbers
As a result of the attack, the Cathay stock drastically plummeted in value. Several authorities fined the airline for its lack of oversight, including the UK’s Information Commissioner’s Office (ICO), which levied a fine of EUR 500,000. Citizens whose information was affected by the breach have also pursued fines against the airline. While the total cost of the breach was not clear, investigation, data monitoring, third-party suits, and regulatory fines are likely to bring the cost to tens of millions of dollars.
Top Cyber Risks in the Airline Industry
Malicious Actors
The airline industry has a lot more at risk than just PII to worry about. We can’t overlook the appeal for hackers: from script kiddies looking to cause an inconvenience to hacktivists protesting the industry’s use of fossil fuels to cyber terrorists looking to cause physical harm and damage to advance their religious or political views, the airline industry remains a viable target.
It is no secret that threat actors have been fascinated with the possibility of hacking into an aircraft. In 2016, a group remotely hacked a Boeing 757 passenger aircraft parked at Atlantic City airport. Fortunately, that group was the Department of Homeland Security, testing the possibility of hacking a parked aircraft.
Malware
The airline industry is at constant risk of a malware attack. In the 2008 crash of Spanair Flight 5022, it was discovered that a central computer system used to monitor technical problems in the aircraft was infected with malware. The infected computer failed to detect three technical problems with the aircraft which would have prevented the plane from taking off. While the airline industry continues to make strides to protect systems from internal and external threats, the growth in the use of personal devices has increased the attack vectors.
Third-Party Risks
Hackers, both those looking to monetize PII and those looking to cause physical harm, have looked to expand the attack surface to third-party contractors. The airline industry depends heavily on the use of third-party contractors: everything from fueling to dispatch to component repair to catering are potential vulnerabilities. The industry must continue to remain vigilant and protect its IT systems and third-party vendors.
In conclusion, the cyber risk in the airline industry underscores the urgent need for comprehensive cybersecurity measures. As digitalization continues to transform aviation, a proactive and vigilant approach is essential to mitigate the expanding attack surface and ensure the security of both sensitive passenger information and critical operational systems.
Disclaimer: This article is not made on behalf of Steve Mikhlin’s employer, only as a student of the Cyber Insurance Academy with a great deal of prior experience in the airline industry.