Cyber-attack against SITA
Global airline technology provider, SITA, confirmed that its servers were breached in a cyber attack which led to a data security incident involving passenger data stored on SITA’s Passenger Service System servers in Atlanta, Georgia, which operates the passenger processes systems for airlines.
SITA serves as a communications and technology vendor for 90 percent of the world’s airlines. We know that the SITA PSS System, which operates passenger processing systems for airlines, holds data from airlines which are alliance members as well as direct customers. As a result, exposure of this passenger data poses a significant threat to both the company itself as well as its alliance members.
SITA has advised that it undertook immediate action in the aftermath of the incident and has contacted affected customers.
While SITA has not yet disclosed which airline data was affected, some carriers including Singapore Airlines, Thai, Malaysia Airlines, Finnair and Jeju Air issued statements regarding the breach, which appears to have targeted respective loyalty and frequent flyer programs. According to reports, Cathay Pacific, Air New Zealand and Lufthansa were also affected by the incident. It is believed that this attack resulted in a breach of roughly 500,000 frequent flyer members’ data.
News reports indicate that the attack was highly sophisticated; however, the attack vector remains under investigation by SITA’s Security Incident Response Team. The attack vector in the breach is not yet clear but it is clear that due to the sensitive nature of information held by SITA including passenger names, addresses and passport data, it would be an attractive target for cyber criminals.
- This incident represents another in an increasing trend of attacks against third party supply chain providers and how entities can be made vulnerable based on their respective dependences upon to third party vendors. In hacking cases like these, the stolen data can directly impact other companies which cooperate both directly and indirectly with IATA.
- This case brings to light a number of recent trends in cyber-attacks, most notably regarding personal data theft, inclusive of:
- Ransomware – Computers may be infected by actions undertaken by users who were unknowingly outwitted by the attacker, e.g. virus encrypted computer files. In this case, the group then held the information ransom, demanding Bitcoin in exchange for the decryption key.
- Data theft – An attacker gains access to and steals sensitive data and information. It is primarily carried out silently, meaning that the victim(s) is not aware that the information was stolen. In these cases, a relevant attack vector may be the Advanced Persistent Threat (APT), though this approach requires significant effort on the part of the attacker to successfully undertake.
- Distributed Denial of Service – This attack, which is typically carried out against service providers including both government and private entities, results in the unavailability of networks and services which can cause significant interference to services.
- Although the attackers were able to gain access to internal documents which may have included customer information, there is no evidence to indicate that said data has been compromised. To date, the attackers have not released information nor, to the best of our knowledge, have they sent demands to SITA in exchange for not releasing information.
- Without doubt, SITA should be classified as an attractive target for cyber criminals due to the sensitive nature of information they hold, the strength of their branch within the industry and the magnitude of information we assume they hold.
- Traditional enterprises like airlines have been an attractive target for cyber attacks as many often rely on legacy software which, as we know based on previous case studies, is sometimes out-of-date or may have existing vulnerabilities that were not patched and that may be exploited. In recent years, as many as hundreds of ‘technical glitches’ and cyber incidents have been reported in the aviation sector of varying levels of sophistication and complexity. Some relevant examples include:
- Air Canada (2018) – Air Canada requested that 1.7 million mobile app accountholders reset their passwords after it detected unusual login behavior which may have exposed 20,000 accounts, including customer passport details as well as app profile data containing a person’s name, address and email address.
- British Airways (September 2018) – British Airways announced that the personal and financial information of 380,000 of their passengers had been hacked. Passenger names, home addresses and credit card data were all stolen during the 15-day security breach. A script running on BA’s baggage claim information page had been changed just before the breach began. The new script was designed to capture the personal and financial data customers entered including names and home addresses, as well as credit card numbers, expiry dates and CVV codes. That information was then relayed to a database under the hacker’s control. In this attack, hackers were able to gain access to sensitive information without disturbing the flow of commerce or raising suspicion.
Cathay Pacific (2018) – Cathay Pacific acknowledged that the personal data of up to 9.4 million passengers, including passport numbers, was accessed by unauthorised personnel. The discovery that some of its information systems had been compromised was made amid routine ‘ongoing IT security processes.’ Data accessed included passenger names; nationalities; dates of birth; phone numbers; email addresses; physical addresses; 860,000 passport numbers; 245,000 Hong Kong ID card numbers, frequent flyer programme membership numbers; customer service remarks; and historical travel data.
Click here to apply to receive our full case study analysis, including insights and recommendations.