Supply Chain Attack Jolts AirlinesMalaysia Airlines, Singapore Airlines, Finnair, Air New Zealand Confirm Breaches
An aviation IT company that says it serves 90% of the world's airlines has been breached in what appears to be a coordinated supply chain attack. Customers of at least four companies - Malaysia Airlines, Singapore Airlines, Finnair Airlines and Air New Zealand - may have been affected by the incident.
See Also: Cyber Incident Response Guide
The Switzerland-based IT company, SITA, says passenger data stored on its SITA Passenger Service System server in the U.S. was stolen.
Earlier this week, Malaysia Airlines confirmed personal information belonging to members of its frequent-flyer program, Enrich, was compromised over a nine-year period, tying the incident to its IT service provider, but not naming SITA.
On Thursday, Singapore Airlines said that about 580,000 frequent-flyer program members were affected by the SITA breach. Although the airlines is not a SITA customer, it says its customers were affected via its cooperation with the Star Alliance of airlines.
Meanwhile, Air New Zealand also confirmed Thursday in emails to customers that it had been affected by a breach at one of its Star Alliance airline partners, which it did not name. But it said the data exposed was limited to member names, tier status and membership number.
Finland-based Finnair Airlines also announced Thursday that about 200,000 members of its frequent-flyer program had been affected by the breach of an unnamed service provider that held some Finnair frequent-flyer data.
Data exposed included names, customer numbers, and meal and seating requests, but the airline emphasized that the hackers did not receive contact information, payment card information or passwords, and the hacking did not affect Finnair's systems.
Commenting on the breach, SITA said in a statement: "This was a highly sophisticated attack, and SITA acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by SITA’s security incident response team with the support of leading external experts in cyber-security."
Upon confirming the seriousness of the data security incident on Feb. 24, SITA says it immediately reached out to the affected SITA PSS customers and all related organizations.
"Loyalty data can be easily monetized and [airlines have] huge volumes of data," says Andrew Barratt, managing principal, solutions and investigations at the security firm Coalfire. "This also seems like the inflection point of two themes at the moment – a continued assault on third-party service providers that are then leveraged to gain access to other parties and high-profile businesses that perhaps don’t have the appropriate third-party review programs in place."
Information Sharing Affects Singapore Airlines
Singapore Airlines says its frequent-flyer customers were affected because the company shares data with other Star Alliance members.
"The information involved is limited to the membership number and tier status and, in some cases, membership name, as this is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer," the company said in a statement.
Singapore Airlines states that all the Star Alliance member airlines provide a restricted set of frequent-flyer program data to the alliance, which is then sent on to other member airlines to reside in their respective passenger service systems.
"This data transfer is necessary to enable verification of the membership tier status, and to accord to member airlines’ customers the relevant benefits while travelling," Singapore Airlines notes. "One of the Star Alliance member airlines is a SITA PSS customer. As a result, SITA has access to the restricted set of frequent flyer program data for all 26 Star Alliance member airlines, including Singapore Airlines."
Boris Cipot, senior security engineer at Synopsys, says the most concerning aspect of the Singapore Airlines data breach is the broad scope of the attack.
"In this case, the breach did not happen as a direct attack on Singapore Airlines, but as a breach of their IT provider," he says. "A lesson which organizations can take away from this scenario is to create security rules and procedures, not only for internal stakeholders but also for their partners in the supply chain. This means taking the software and service provider processes into consideration when discussing a partnership and defining what security measures will be implemented."
Chris Clements, vice president of solutions architecture at the security firm Cerberus Sentinel, says breaches that affect vendor partners "can be even harder to detect than a direct breach of an organization. Now more than ever, businesses need to fully vet and actively manage vendors who may be able to access sensitive systems or data.”
Malaysia Airlines Incident
Malaysia Airlines confirmed that personal information belonging to members of its frequent-flyer program, Enrich, was compromised over a nine-year period.
The airline said data was compromised from March 2010 to June 2019, but it did not reveal how many customers were affected, local newspaper Malay Mail reported.
The company notified Enrich members via email. The notification states personal data exposed includes names, dates of birth, contact details and frequent-flyer number, status and tier level, Malay Mail reports.
In a Twitter exchange, the airline says the data compromise occurred at its third-party IT service provider, but it did not mention SITA.
The company issued a statement saying: "The airline is monitoring any suspicious activity concerning its members' accounts and is in constant contact with the affected IT service provider to secure Enrich members' data and investigate the incident's scope and causes," Malay Mail reports.
"It's worth noting that Malaysia Airlines has asked Enrich customers to update their passwords - despite the fact that account passwords were allegedly not affected," says Ray Walsh, digital privacy expert at privacy lobbying group ProPrivacy. "This appears to indicate some level of uncertainty, which is why we must wait for the results of a full forensic examination of the systems that were breached. Malaysia Airlines has stated that Enrich customer names, dates of birth, contact information and frequent-flyer info was breached, which may indicate that the cyberattack poses a bigger threat for customers of certain airlines more than others."
Coalfire's Barratt adds: "Malaysian Airlines seem to have a really broad time frame for the data breach, indicating that they probably didn’t have adequate monitoring and alerting systems in place. If Europeans' personal data was exposed, the airline potentially could be fined for violating the EU's General Data Protection Act, he notes.
Walsh says the U.S. Federal Trade Commission will likely investigate the SITA breach because a U.S. server was involved. "However, other data protection authorities will also investigate due to the fact that consumers worldwide were affected."
Commenting on the Malaysia incident, Brandon Hoffman, CISO at the security firm Netenrich, notes: "Had more detailed personal information or financial information been stolen, the impact could be very widespread if it took place nine years ago. Time to disclose is critical for the incident response process, especially when it involves third party or vendors."
Other Airlines Fined
British Airways was recently fined $26 million under GDPR in connection with a 2018 breach, and it faces a group lawsuit (see: British Airways Faces Class-Action Lawsuit Over Data Breach).
Last year, the U.K. Information Commissioner's Office fined Cathay Pacific Airways $646,000 for a data breach that exposed the personal information of 9.4 million customers, including 111,000 British citizens, during a four-year period (see: Cathay Pacific Airlines Fined Over Data Breach).
The fine was the largest the U.K. privacy watchdog could impose under the country's older data protection laws because the breach, which started in 2014 and was discovered and fixed in 2018, happened before GDPR went into effect in May 2018.