British Airways Hacked: Aviation industry is a growing target for cybercriminals

British Airways Breach

British Airways (BA) has been hacked. On Wednesday evening BA noticed some anomalies and realised that something was very wrong. After investigating through the night, it uncovered that customer data had been stolen. BA began notifying customers on Thursday night that a data breach had occurred impacting their financial and personal information (name, email address and credit card information). All customers that had booked flights with BA using its mobile app or website between the 21 August through to the 5 September are affected. It’s believed that 380,000 customers are affected by this breach.

Customers in their thousands are cancelling bank cards as their financial details have been compromised. Banks are inundated with calls from customers and helplines are backlogged. Customers are frustrated and annoyed and are taking to social media to vent their anger at the airline and to complain with regards to how BA is handling this incident.

It was a sophisticated criminal act. BA has informed the ICO and investigations are underway, but they are in the early stages. Additionally, The National Crime Agency has been informed of the data breach and is investigating.

It’s thought that the card details were intercepted rather than stolen from the BA database as BA’s CEO has confirmed that CVV numbers were also stolen and insists BA does not store this data.

BA has assured its customers that the breach has been resolved and that its website is now safe to use. It has also confirmed that no Passport information was compromised.

In recent months BA has suffered multiple IT related issues.  In July IT issues led to multiple flights being cancelled causing large travel disruption. In May over 2000 BA passengers had their flights cancelled due to tickets that BA sold online at an incorrect price (too cheap). Last year IT issues resulted in thousands of BA passengers facing travel disruption when 726 flights from Heathrow and Gatwick were cancelled leaving 75,000 passengers stranded.

The most recent BA data breach is the latest in a string of data breaches to hit the aviation industry. Air Canada confirmed a data breach last week, which affected 20,000 of its customers.

Air Canada Breach

Air Canada suffered a data breach leading to the potential loss of thousands of its customers’ personal information. Basic customer profile data including names, email addresses and phone numbers were affected, but other highly sensitive data included passport details: passport numbers, country of issue, expiry dates, nationality, country of residence and birth date may also have been stolen when the Air Canada mobile app was compromised. Additionally, any other information the customer had saved in their profile data such as aeroplane number, traveller number, NEXUS number, gender, date of birth, and nationality.

Theft of passport information, a government-issued ID, could result in dire consequences as the potential for Identity fraud is high.

Between the 22 and 24 August, Air Canada discovered unusual login behaviour on its mobile app and proceeded to lock down all of its 1.7 million customer accounts. It’s believed that data from 20,000 of those accounts had been stolen. The cause of the breach is not yet known; however, it’s been revealed that the airline’s website security was not great, as their password system was rather weak.

In this case, Air Canada confirmed that all credit card details were encrypted.

Airlines must take action now

In July Thomas Cook Airlines confirmed the names, email addresses and flight details of its customers had been accessed and compromised. In May Delta Airlines confirmed two breaches had occurred the previous year during September and October.

All these incidents suggest that Airlines’ information systems are not as robust and secure as they should be. Considering the volume of data flowing through these systems, required to safely transport millions of passengers across the world on a daily basis–they should be extremely robust and secure.

The impact of system failure or cyberattacks can have catastrophic consequences for the industry and its customers. The safety and security of aircraft and their passengers, the operational reliability and financial well-being of airlines and airports as well as the reputation of the aviation sector as a whole are being threatened by cybercriminals.

BA has apologised for the data breach and is trying to assure customers that it takes the protection of customers’ data very seriously. However, if this were the case–why was the data not protected? If this were the case–this breach would not be making the headlines in the same way that it is today.

Alex Cruz, British Airways’ chairman and chief executive, said: “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”

Impact of a cyberattack on the aviation industry is massive

The aviation industry, as it stands, is feeling the full weight of consumer concern. Airlines and airports must strengthen their security and fast, especially since they’re facing significant cybersecurity risks.

Budget constraints, increased connectivity–multiple devices that connect to internal systems (scanners and monitors for example) and weak, insecure and outdated systems and solutions can all increase the security risk. Risk brought about through the supply chain is also a common occurrence now.

The Evolution in technology has forced aviation to adopt more advanced solutions, but many still have legacy systems in place. This mix of old and new makes it more difficult to achieve end-to-end protection across all systems. Especially within an environment which comprises a complex architecture of interconnected IT and communication systems.

Personal and highly sensitive data is flowing constantly within the aviation industry. The data asset is massive. The opportunity and profitability for hackers are huge and they are very aware of this. Airlines must protect the data. This is what the criminals are after and the aviation industry is an easy target as has been shown time and time again.

The Aviation industry is experiencing heightened cybersecurity risks as it is highly dependent on technology and data. The impact is broad with the potential to affect all parts of the industry causing privacy, safety and operational issues.

Encourage a security culture and leverage tools that strengthen cybersecurity capabilities

Cyberattacks are advanced and sophisticated and partial security will not suffice. Today’s cybercriminals have the resources and the opportunities to find the gaps and vulnerabilities to get what they want.

These recent events are examples of the impact a security incident can have on consumer privacy as well as airline reputation. The industry needs to modernise legacy systems, improve its security procedures and ensure their supply chain is secure. This is necessary to better protect consumer personal and sensitive data.

The aviation industry is facing cybersecurity threats and challenges like any other industry, but in this sector, the impacts can be much greater. With every breach, an airlines brand and business continuity are endangered and this is a risk that management needs to protect their fleet against.

Airlines must address the cybersecurity risks across the entire airline including organisational IT, maintenance, operations, supply chain and consumer-facing systems. Focusing on identity and access management, data protection and encryption, security by design and security awareness is essential to achieve more secure systems and environment on the whole.

As demonstrated by the Air Canada and BA breaches it can be easy for an attacker to compromise a website that consumers use to make bookings and manage their flight information. This may not impact flight operations, but it does impact consumer trust in the airline and the industry.

These types of security incidents will continue to happen, no matter what, so airlines must accept this and take action. They must protect what matters most, protect what cybercriminals are after–protect customers’ data.

For now, BA’s customers are its top priority as well as contending with the fallout of the massive breach announced today, but British Airways is likely to face substantial financial implications including a potential multimillion-pound fine under the General Data Protection Regulation. As it did not have sufficient measures in place to ensure its customers’ data was protected. The data breach may be the result of a criminal act, but there is no excuse for not protecting customers’ data.