Multiple Airlines Hit By Supply Chain Attack

A major aviation IT company has been breached in what appears to be a highly sophisticated, coordinated supply chain attack affecting multiple airlines and hundreds of thousands of passengers. SITA provides IT and telecoms services to around 400 members in the industry, claiming to serve around 90% of the global airline business. 

SITA has disclosed a data security breach involving their passenger service system servers. “We recognise that the COVID-19 pandemic has raised concerns about security threats, and, at the same time, cyber criminals have become more sophisticated and active” SITA said in a statement.

The company revealed that attackers had compromised passenger data stored on its SITA Passenger Service System servers in the US which operate passenger processing systems for airline clients.After confirmation of the seriousness of the data security incident on February 24 2021, SITA took immediate action to contact affected SITA PSS customers and all related organisations. 

  • Singapore Airlines released a statement this week to the same effect. Although the airline said it is not a customer of SITA, the attackers managed to compromise its KrisFlyer and PPS members’ data via a fellow Star Alliance member. 
  • Other airlines affected include Finnair who said 200,000 frequent flyers were affected. Unlike to the devastating data breach at British Airways in 2018, debit and credit card information was not taken, but the airline has advised customers to change their card account passwords.  
  • The hack is also thought to be part of an attack on ill-fated Malaysia Airlines, which found that ts frequent flyer programme had been compromised between 2010 and 2019.

Ran Nahmias, co-founder of threat intelligence firm Cyberpion, says the attacks highlight the risks involved in modern IT supply chains. “When you consider the need to monitor the potential risks across a vast ecosystem that includes vector-associated DNS management, cloud providers, web properties, encryption, certificates and mobile infrastructures, the modern IT organization is not prepared to monitor, let alone manage, that risk... When there is a lack of clearly defined oversight and management processes, hackers are able to operate freely and inflict significantly more damage.”

If you are the customer of an airline and have a Data Subject Access Request in relation to the handling of your personal data, this request must be made directly to that airline in accordance with GDPR and data protection legislation. SITA itself is unable to respond directly to such requests.

Singapore Air:          SITA:        Infosecurity Magazine:       YLE Finland

You Might Also Read:

Airline Faces £800m Penalty For Customer Data Breach:

 

« Britain Will Build Up Its Military Cyber Capabilities
GCHQ’s AI Report Has A Clear Message »

Perimeter 81

Directory of Suppliers

eBook: Practical Guide to Security in the AWS Cloud

eBook: Practical Guide to Security in the AWS Cloud

AWS Marketplace would like to present you with a digital copy of the new book, Practical Guide to Security in the AWS Cloud, by the SANS Institute.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

WEBINAR: How To Build A Security Observability Strategy In AWS

WEBINAR: How To Build A Security Observability Strategy In AWS

Thursday, Apr 22, 2021 - Join this webinar to learn how to build a security observability strategy in AWS, covering cloud-native monitoring sources, guardrails, and automation capabilities.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Protective Intelligence

Protective Intelligence

Protective Intelligence brings together a group of information security specialists with a passion for delivering high-quality solutions.

Synopsys

Synopsys

Synopsys is a global leader in electronic design automation and semiconductor IP and is growing its leadership in software quality and security solutions.

Mitol PerfectBackup

Mitol PerfectBackup

Mitol PerfectBackup provide Enterprise Online Backup, Disaster Recovery and Cloud Computing Services.

Cyberkov

Cyberkov

Cyberkov services include Pentesting, Vulnerability Assessments, Digital Forensics, Incident Response, Source Code Analysis and Security Training.

Sixgill

Sixgill

Sixgill is a cyber threat intelligence company that covertly and automatically analyzes Dark Web activity detecting and preventing cyber-attacks and sensitive data leaks before they occur.

Cylus

Cylus

Cylus, a global leader in rail cybersecurity, helps rail and metro companies avoid safety incidents and service disruptions caused by cyber-attacks.

Swascan

Swascan

Swascan is the first all-in-one, GDPR Compliant, Cloud Security Suite Platform. GDPR Assessment, Web Application Scan, Network Scan, Code Review.

IPACSO

IPACSO

IPACSO is a project aimed at supporting the development of innovative cyber security and privacy related activities in Europe.

NSA Career Development Programs

NSA Career Development Programs

NSA offers entry-level programs to help employees enhance their skills, improve their understanding of a specific discipline and even cross-train into a new career field.

IDX

IDX

IDX is the leading consumer privacy platform built for agility in the digital age.