In the US, the Transportation Security Administration (TSA) is using emergency powers to force the aviation sector to develop cyber resiliency plans, as the Biden administration continues to push for all aspects of critical infrastructure cyber defence to be bolstered.
The new TSA cybersecurity requirements will apply to airports and airplane operators, and impacted parties will need to demonstrate that planes can continue to safely operate in the event of compromise by a cyber-attack, and will be subject to new standards in access control and monitoring of their networks.
Airlines continue to be an irresistible target for cybercriminals, with around $1bn a year lost from fraudulent websites alone. Add to that data theft, card fraud, air miles fraud, phishing, fake invoices and more, and you have a perfect storm for a part of the industry that continues to reel from the pandemic. Every week, an aviation company suffers a ransomware attack somewhere in the world, with big impacts on productivity and business continuity, let alone data loss and/or costly extortion demands paid to restart operations.
Thankfully, no impact on flight safety has yet been reported – but that is no grounds for complacency, with state-sponsored or highly organised crime syndicates capable of conducting large-scale targeted intrusions that aim at massive disruption as much as financial gain.
In Europe, a major Eurocontrol report has found that many aviation businesses, including in the supply chain, are exposing themselves to extra risk by not systematically applying basic IT security controls.
61% of all identified cyber-attacks in 2020 targeted airlines, almost twice as much as the two next largest market segments combined (16% manufacturers, 15% airports). Most of these attacks – 95% – were financially motivated: 739 out of 775 incidents. This led to financial loss in 55% of cases, and the leaking or theft of personal data in an additional 34% of cases.
The fake airline ticket business is extremely lucrative: The average value of a purchase is significantly higher than that of a legitimate purchase. “Big Game Hunting “fraudsters are drawn to the profit margins on airline ticket fraud – where the average cost of a fake ticket, at around $1,930, is almost triple that of a legitimate purchase (on average $606).
Airline loyalty programme accounts are a hugely attractive target for fraudsters, and the pandemic has accelerated criminal interest as airlines began returning money via loyalty accounts to passengers whose flights had been cancelled owing to the pandemic, or extending the validity period of accumulated miles. In 2020 EATM-CERT issued alerts to 30 airlines and detected 15,493 accounts on offer on the dark web, worth over $400,000. The total market value of unredeemed miles is enormous – estimated by IATA at $238bn. The average value of a compromised account rose by 48% between Q1 and Q4, 2020.
With aviation moving towards introducing more and more digitalisation thanks to new technologies and concepts using non-aviation specific means (eg. Cloud, 5G, Internet, satellite communications and navigation). This will inevitably increase the number of aviation actors potentially impacted by a cyber-attack.
The challenge now lies in making aviation systems/services progressively more and more cyber-resilient while remaining safe and cost-effective.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said US TSA Administrator David Pekoske. “This amendment to the aviation security programmes extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
Just last month, Scandinavian Airlines (SAS) posted an alert warning passengers that a recent multi-hour outage of its website and mobile app was caused by a cyber-attack that also exposed customer data.
The cyber-attack caused some form of a malfunction on the airline's online system, causing passenger data to become visible to other passengers. This data includes contact details, previous and upcoming flights, as well the last four digits of the credit card number.
“Last night SAS, alongside several other companies, were subjected to a cyber-attack that led to our website and app being down for a few hours. Furthermore, some passengers' data became visible to other passengers who were active during the ongoing attack.”
Portugal’s national airline TAP Air Portugal confirmed hackers obtained the personal data of some of its customers and have published the information on the dark web. No payment data was taken in the cyber-attack, the flag carrier said in a statement.
The attack began weeks before and is now being investigated by Portuguese authorities, with the help of specialists from Microsoft, the airline said. Portuguese newspaper Expresso said a hacker group was offering the information of 1.5mn TAP Air Portugal customers on the dark web.

The author is an aviation analyst. Twitter handle: @AlexInAir