Global air transport data giant SITA has confirmed a data breach involving passenger data. The company said in a brief statement on Thursday that it had been the “victim of a cyberattack,” and that certain passenger data stored on its U.S. servers had been breached. The cyberattack was confirmed on February 24, after which the company contacted affected airlines.
9 Responses
<p>While it appears that the only information accessed in the breach are names and membership numbers, KrisFlyer and Singapore Airlines customers will still want to keep an eye on such things as the statistics on their loyalty program information and frequent flyer miles. </p> <p> </p> <p>It\’s possible that the hackers could match up customer names with email addresses and cell phone numbers that they already possess, and may use the information to send out phishing emails and texts, which means affected users will want to keep an eye out for such attempts.</p>
<p>Thankfully the perpetrators of this breach don’t seem to have accessed any personal data other than names and membership numbers. Whilst this will still be a concern for those customers involved, SITA appears to have a robust incident response plan in place for their protection. The vital take-away for operators here is that your supply-chain needs just as much protection as your core business. Data-sharing is a fundamental part of the modern business practice but any enterprise should require and validate data security protocols for all of their suppliers, subsidiaries and any other associated companies. A breach in the chain can happen anywhere but if it’s your chain, it’s your reputation.</p>
<p>Airline loyalty programs and frequent flyer miles are a common target for cybercriminals, who can redeem them to get gift cards or make purchases at local retailers. Some points are also resold on the grey web to mileage brokers. I wrote an article examining airline miles being sold on the dark web in 2018: <a href=\"https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATURsk-2F39fwP3qbh8Kg68kzpWJiZX5GEz3mMlvs-2FtZq-2BwV6i3yB0jqWMq2WJyMYMSlCY0viTjcQl1zVqpuO4BEjXwZsNRACJxoikRL0IyVeL8XODMTlTeLg6fGolZpYduQUhPfn67wjDm5EnpaMdRCK1M-3DT6cz_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGTO5AKaXxfXA6PdkmD9nZzOoTnHFT1UG5oGB72ysmgMLvtFIiUrJZj29jC-2FG9TqG8rE032Nwk-2FJCmTNHgGUndA7F-2FtzABPHuFSjpbM1UZPC79YTqceWOQll2HaiN66cl4JUyBiKlQn1HYFMT75TGKwAPw8hYC6t-2FhmdWM6Bowr6-2B6u3aHF3Dw0CQdNx-2BDfF3KMtt727R3MVKpOHwLM0k61bKc3P9NDwvz3p0e62FPblErla8tChmUBJLcGkIh1zmy6rrdcyEEaV5D9USgfT7b61SVcPDfVkFu9A8a1b-2BuBmM\" target=\"_blank\" rel=\"noopener noreferrer\" data-saferedirecturl=\"https://www.google.com/url?q=https://u7061146.ct.sendgrid.net/ls/click?upn4tNED-2FM8iDZJQyQ53jATURsk-2F39fwP3qbh8Kg68kzpWJiZX5GEz3mMlvs-2FtZq-2BwV6i3yB0jqWMq2WJyMYMSlCY0viTjcQl1zVqpuO4BEjXwZsNRACJxoikRL0IyVeL8XODMTlTeLg6fGolZpYduQUhPfn67wjDm5EnpaMdRCK1M-3DT6cz_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGTO5AKaXxfXA6PdkmD9nZzOoTnHFT1UG5oGB72ysmgMLvtFIiUrJZj29jC-2FG9TqG8rE032Nwk-2FJCmTNHgGUndA7F-2FtzABPHuFSjpbM1UZPC79YTqceWOQll2HaiN66cl4JUyBiKlQn1HYFMT75TGKwAPw8hYC6t-2FhmdWM6Bowr6-2B6u3aHF3Dw0CQdNx-2BDfF3KMtt727R3MVKpOHwLM0k61bKc3P9NDwvz3p0e62FPblErla8tChmUBJLcGkIh1zmy6rrdcyEEaV5D9USgfT7b61SVcPDfVkFu9A8a1b-2BuBmM&source=gmail&ust=1615452870925000&usg=AFQjCNFw2Q54dDj5EHoaAdUTYQnTOeMv0w\">https://www.comparitech.<wbr />com/blog/information-security/<wbr />how-much-are-stolen-frequent-<wbr />flyer-miles-worth-on-the-dark-<wbr />web/</a></p> <p> </p> <p>Prices averaged $0.015 per mile, much lower than the real-world market price.</p>
<p><span lang=\"EN-US\">The </span><span lang=\"EN-US\">most concerning aspect of </span><span lang=\"EN-US\">this data breach is the broad scope of the attack. In this case, the breach did not happen as a direct attack on Singapore Airlines, but as a breach to their IT provider. </span><span lang=\"EN-US\">A lesson which o</span><span lang=\"EN-US\">rganisations </span><span lang=\"EN-US\">can take away from this scenario is</span><span lang=\"EN-US\"> to create security rules and procedures, not only for internal stakeholders but also for their partners in the supply chain. This means taking the software and service provider processes into consideration when discussing a partnership and defining what security measures will be implemented.</span></p>
<p>As Singapore Airlines is currently experiencing, businesses are only as secure as least secure supplier. As this attack has shown, when one company is compromised it can have a domino effect. Being able to share information quickly and easily gives organisations a competitive edge, but that means it is even more important that we foster a culture of responsibility securing data through the entire supply chain. It’s not clear yet what the attack vector was in the SITA breach, but HackerOne vulnerability data shows that the aviation and aerospace industry sees more privilege escalation and SQL injection vulnerabilities than any other industry, accounting for 57% of the vulnerabilities reported to these companies by ethical hackers.</p> <p> </p> <p>SITA would be an attractive target for criminals due to the sensitive nature of the information they hold – names, addresses, passport data. We’ve seen the aviation industry particularly hard hit over the past year, perhaps because criminals know they will be vulnerable and their focus and priorities on remaining in business, however, traditional enterprises like airlines have always been an attractive target since few are digital first businesses and therefore have relied on legacy software, which is more likely to be out of date or have existing vulnerabilities that can be exploited.</p>
<p>News of a major breach involving passenger data is the latest in a series of disappointing security incidents to have blighted the passenger aviation industry in recent years.</p> <p> </p> <p>Airlines remain a key target for cyber-attacks, and Star Alliance will be frustrated that it was the systems of a third-party IT operator, Sita, that were breached rather than its own. The incident is also a timely reminder of the critical need for organisations to assess the security posture of the businesses and technologies that make up their supply chains, following the SolarWinds cyber-attack at the end of last year.</p> <p> </p> <p>In disclosing the breach, Sita was careful to emphasise the highly sophisticated nature of the attack, but this has become an all too common justification in the wake of major security events. There’s doubt that today’s cybercriminals <em>are</em> highly sophisticated, and they are only getting more so. Organisations need to be clear about this and, if they want to avoid the embarrassing legal, financial and reputational consequences of customer data breaches, must adopt a layered approach to cybersecurity that includes people, process, and enabling technologies to reduce the risk, minimise the impact of a breach should one occur, and demonstrate diligence and best practice to both customers and governing bodies.</p>
<p>Details of frequent fliers are a treasure trove for cybercriminals and this breach acts as a stark reminder of the third party risks that all organisations face. Breaches often happen through a security failure at a supply chain partner, sometimes three or four levels removed from an organisation. It is impossible to defend a thousand different perimeters spread across all the third parties, each with their own network of connections. That’s why it’s important to secure the data, not just the network.</p> <p> </p> <p>No matter how good your own network security, someone else may leak your data and bad actors are ready to exploit this. Businesses need to adopt a data centric approach to security which includes improving security training and awareness for staff, especially when using third party applications outside the jurisdiction of IT.</p> <p> </p> <p>Organisations that hold customer data must enforce security standards with their own suppliers, require ISO certification and set mandatory requirements for data processing. Fail to do so and there will be difficult questions for the business to answer, while having significant impact on reputation and customer trust in their brand. There is also the potential for user details to be used in follow-on phishing attacks by personating many types of businesses. The customers of these airlines, who are the true victims of this attack, should be prepared for these</p>
<p>The SITA breach is a good reminder that it is not just your own organization’s security that is mission critical, the security of your third party partners and suppliers is just as important.</p> <p> </p> <p>Making sure your organization only shares the essential data needed, and verifying that your partners and suppliers are implementing and following a security framework, like the one outlined by NIST (National Institute of Standards and Technology) in SP800-53, is as important as making sure your own organization is secure.</p> <p> </p> <p>Even NIST recognizes that attacks on applications and the loss of data from those attacks have increasingly become a problem. NIST added specific requirements around application security, RASP and IAST, in their latest revision of the SP800-53 security policy framework that was released in September of 2020.</p>
<p>Central airline management systems are attractive targets for attackers. Data has to persist for booking management over long periods of time, and the trove of personal data can be extensive spanning financial data, identity, reservations, passports as well as travel history data. Given global travel data’s very nature, it also falls under a myriad of privacy and data security regulations from GDPR to CCPA and beyond. For this reason, it’s precisely the kind of data that should be protected with modern data tokenization technology to reduce its exposure to compromise, and only make it available when absolutely necessary.</p>