Airlines continue to be an irresistible target for cybercriminals, with around $1bn a year lost from fraudulent websites alone. Add to that data theft, card fraud, air miles fraud, phishing, fake invoices and more, and you have a perfect storm for a part of the industry that continues to reel from the pandemic. Every week, an aviation company suffers a ransomware attack somewhere in the world, with big impacts on productivity and business continuity, let alone data loss and/or costly extortion demands paid to restart operations.
No impact on flight safety has yet been reported – but that is no grounds for complacency, with state-sponsored or highly organised crime syndicates capable of conducting large-scale targeted intrusions that aim at massive disruption as much as financial gain.
In Europe, a Eurocontrol report has found that many aviation businesses, including in the supply chain, are exposing themselves to extra risk by not systematically applying basic IT security controls.
Around 61% of all identified cyber-attacks in 2020 targeted airlines, almost twice as much as the two next largest market segments combined (16% manufacturers, 15% airports). Most of these attacks – 95% – were financially motivated: 739 out of 775 incidents. This led to financial loss in 55% of cases, and the leaking or theft of personal data in an additional 34% of cases.
The fake airline ticket business is extremely lucrative: The average value of a purchase is significantly higher than that of a legitimate purchase, and “fraudsters are drawn to the profit margins on airline ticket fraud – where the average cost of a fake ticket, at around $1,930, is almost triple that of a legitimate purchase (on average $606).
Airline loyalty programme accounts are a hugely attractive target for fraudsters, and the pandemic has accelerated criminal interest as airlines began returning money via loyalty accounts to passengers whose flights had been cancelled owing to the pandemic, or extending the validity period of accumulated miles. In 2020, around 30 airlines had 15,493 passenger loyalty accounts on offer on the dark web, worth over $400,000. The total market value of unredeemed miles is enormous – estimated by IATA at $238bn. During the pandemic the average value of a compromised account rose by 48% between 1Q and 4Q 2020.
With aviation moving towards introducing more and more digitalisation thanks to new technologies and concepts using non-aviation specific means (e.g. Cloud, 5G, Internet, satellite communications and navigation), it’s somewhat inevitable that there has been an increase the number of aviation actors potentially impacted by a cyber-attack.
The challenge now lies in making aviation systems/services progressively more and more cyber-resilient while remaining safe and cost-effective.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said US TSA Administrator David Pekoske. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
In documented cases, Scandinavian Airlines (SAS) is one airline to have posted an alert warning passengers that a recent multi-hour outage of its website and mobile app was caused by a cyberattack that also exposed customer data. The cyberattack caused some form of a malfunction on the airline's online system, causing passenger data to become visible to other passengers. This data includes contact details, previous and upcoming flights, as well the last four digits of the credit card number.
When suffering the cyber-attack, it stated: “Last night SAS, alongside several other companies, were subjected to a cyberattack that led to our website and app being down for a few hours. Furthermore, some passengers' data became visible to other passengers who were active during the ongoing attack.”
Earlier this year, Kenya Airways, one of Africa’s largest airlines, claimed they were attacked by the “Ransomexx” ransomware gang. The group has shared what is alleged to be company data on its dark web. The attackers shared over 2GB of data it says was stolen from the airline, which included sensitive information. The data reportedly included passport copies, and various internal airline reports.
Portugal’s national airline TAP Air Portugal had previously confirmed hackers obtained the personal data of some of its customers and have published the information on the dark web. No payment data was taken in the cyberattack, the flag carrier said in a statement.
In the Portugal scenario, the attack began weeks before and was later investigated by Portuguese authorities, with the help of specialists from Microsoft. Portuguese newspaper Expresso said a hacker group was offering the information of 1.5mn TAP Air Portugal customers on the dark web.
In October last year, Spanish airline Air Europa has suffered a cyberattack on its online payment system that let some of its customers' credit card details exposed, the company said.
The airline e-mailed customers whose credit card details were affected and notified the relevant financial institutions, it added. It did not specify the number of customers affected, nor did it estimate the financial impact of the cyberattack. The company said no other information had been exposed.
In 2021, the airline was fined for its mishandling of another breach that affected 489,000 customers in 2018, the OCU said in a statement. Air Europa reported that incident 41 days after it happened, whereas companies are required to do so within 72 hours.
Madrid-based Air Europa is in the process of being taken over by British Airways-owner International Consolidated Airlines Group.
Also last year, Canada’s largest airline carrier, Air Canada reported a cyberattack. The Canadian airline claimed that an unauthorised group of hackers obtained access to its internal system. The latest hacking has exposed the personal information of an unknown number of employees working for Air Canada.