The ITRC (Identity Theft Resource Center) is a non-profit organization whose mission is to guide consumers, victims, companies, and government bodies to minimize the risks and mitigate the impact of identity theft. To this end, it carries out studies and publishes documents and figures about data breaches. One of the most striking figures is that fact that, between 2005 and March this year, it registered a total of 11,556 security breaches.

This figure shows that breaches are one of the most common serious incidents suffered by companies. For this reason, they are also an issue that Cytomic deals with rather frequently. One such case was the that of the 1.2 billion exposed accounts discovered by Vinnie Troya in a breach suffered by the credit card companies Capital One, the shipping company Maersk, or Decathlon. All these incidents reflect the fact that no sector is safe from the risks implicit in a data breach. Airlines are no exception to this rule, as the breach recently suffered by EasyJet goes to show.

Travel information for Chinese espionage_

Back in May, EasyJet, one of Europe’s leading low-cost airlines, reported to the IOC, the UK’s data authority, that the company had been hit by a “highly sophisticated cyberattack” in which the travel details and email addresses on 9 million customers had been stolen. Even more serious was the fact that 2208 of these customers’ credit card details (number and CVV) were also compromised.

Although no details have emerged about how this advanced cyberattack was carried out, sources, who chose to remain anonymous, have suggested that the attack was carried out by Chinese cyberattackers who have also targeted other airlines in the past. To support their arguments, they pointed to the fact that the objective was to obtain passengers’ travel details to track their movements, and not for financial gains.

This hypothesis also coincides with the fact that, according to the company, none of the credit cards whose details were stolen have been used. However, EasyJet contacted all affected users and issued a series of recommendations under the assumption that the victims may receive phishing emails.

Turbulence in the sector_

These incidents always entail reputational damage, since they diminish the confidence that current and future customers have in the company taking good care of their data. What’s more, the company potentially has to face million-euro fines: Under the GDPR, the ICO could impose a fine of up to 4% of the company’s global annual turnover, which, in the case of EasyJet, would be €255 million. Although the average total cost of a data breach is €3.2 million, there is a clear precedent set by the ICO, when it suggested a £183 million fine for British Airways: 1.5% of its annual turnover. However, in the case of BA, the incident was definitely financially motivated: Malicious code was injected into the company’s website to gather credit card data.

But, despite having different motives, both data breaches prove that the airline sector is an increasingly frequent target for cyberattackers. Some cybersecurity experts put this down to the fact that airlines are a gold mine for data: These companies contain the credit card information and travel records of millions of passengers. What’s more, these records include a particular type of information that practically nobody except the most heavily guarded government agencies has access too:  Passports. Because of this, this data is extremely valuable if it is sold on the Dark Web and can be used to steal the victims’ identity.

Safe landing_

Beyond general recommendations for avoiding data breaches, such as classifying and ranking data, robust access control, and an appropriate password policy, experts agree that airlines need an advanced cybersecurity audit. This audit must include an exhaustive review of all systems and websites; practices such as pen testing; and even a review of the cybersecurity of third parties that work with the company’s data, such as travel agencies.

This is why the CISOs of airlines must have a partner that is able to cover these specific needs. This partner must also provide solutions, such as Cytomic Data Watch: Designed to help organizations comply with data protection regulations, as well as to discover and protect their sensitive data in real time, both on endpoints and servers. This way, airlines will be able to deal with the turbulence caused by cyberattacks in the best possible way, thus ensuring that their customers’ data safely lands where it’s supposed to.