Cybersecurity, information security, infosec… call it what you will, but defending airline operations, data and passenger information from these threats has never been so important — or so complicated. And as airlines start to hold more and more of our personal data, including around COVID-19 vaccination, concern is growing.
The predicament, explains Dr Chiara Rustici, an independent academic and data regulation analyst, is that “aviation is a key element of national and international infrastructure. It is also, in large part, privately owned.”
“Current tensions in international relations mean that state and non-state actors are constantly deploying cyberattacks on the other side’s infrastructure as a way to project power and signal greater attack capabilities,” Rustici outlines. “This use of cyber activity just below the threshold of cyber-war leaves civilian infrastructure, such as airlines, in the impossible predicament of shouldering military-grade cyberattacks without the resources of the defence sector. Aviation’s day job is no longer simply carrying goods and passengers: it’s to hold cyberspace’s new front line.”
But what are the objectives of these attacks?
“First and foremost, the objective of a cyber criminal is to get their hands on actionable data and extract value from that,” explains Computer Weekly’s security editor Alex Scroxton. “Many organised cyber crime gangs see themselves as legitimate businesses or Robin Hood type actors, in some cases going so far as to offer their victims free advice on how to improve their security in future.”
Fortunately for real-world security, Scroxton says, and despite some high-profile but ultimately debunked claims, “in this light it is hard to imagine a nightmare scenario in which a cyber attack could down a plane in flight.”
“However, airlines hold vast amounts of highly personal data and it is the nature of this data that should be a source of concern from a risk management perspective,” Scroxton explains. “Documents such as passports or national ID cards are highly sought after as a means of compromise and while they are not deemed special category data under the General Data Protection Regulation, they make airlines tempting targets. This means airline security teams need to be at the top of their game.”
The GDPR is, of course, a regionally specific set of legislation, but across geographies, commercial aviation’s record on information security is spotty at best. “Rightly or wrongly, the cybersecurity record of the whole aviation industry has been tainted by the 2018 British Airways personal data breach, affecting over 420,000 customers,” says Rustici, with Scroxton also citing the BA breach alongside easyJet’s as two examples within the UK alone.
Like any large industry, aviation is certainly a target. That’s especially true given that significant sums of money are in play, and while we’re no longer in the time where somebody on a three-week holiday is completely unreachable by their bank or credit card provider, few people go on holiday to pay more attention to their card statements.
“Prior to the pandemic, in covering fraud reduction technologies I know that the travel and hospitality industry was being quite highly targeted for fraud,” says John Tolbert, who focusses on cybersecurity and identity management as well as digital transformation as a lead analyst at identity, access management and cybersecurity specialists KuppingerCole.
He suggests that the recent attack on IT service provider SITA found success as part of this targeting: “I’m surmising that some of those fraud actors found SITA as an upstream supplier of information. What they’re able to do with that, I don’t really know, since they have not disclosed additional information after the original announcement.”
In terms of wider reputational risks, there’s certainly an argument that consumers are largely resigned to their data being stolen, meaning that the real reputational risk is around how companies respond to that with identity theft management provisions — and with other measures, both to prevent and to mitigate the effects of data breaches.
“We’ve been talking for years about data breach fatigue, so I think everybody to a degree feels like there’s an inevitability to it, but that’s probably not the best position to be in,” Tolbert notes.
“We tell everyone: the best thing is to do your due diligence in terms of identity vetting and multi-factor authentication. Those two things can help alleviate a lot of the background noise of data breaches,” he explains. “Identity vetting can help reduce new account fraud, and MFA is the top preventive measure against account takeover fraud.”
Integration of fingerprint, facial recognition and other biometric options with liveness detection offered by modern smartphones can make a difference, and here Tolbert suggests looking to the consumer banking, insurance and finance industries for inspiration. Indeed, think to your own smartphone: how many of your banking and finance apps use biometric recognition? Now, how many airline apps do that?
Fundamentally, says Tolbert, “anything convertible to monetary value is going to be a target. The sooner that companies realise that, the better they will be.”
Coming soon: Multi-Factor Authentication is landing shortly in Yocova.
It’s a valuable tool that’s part of our ongoing commitment to ensuring enhanced security for the platform and for our members.
You will shortly receive instruction for how to activate MFA for your account – look out for your email instructions.
You can find out more in our MFA Increasing Security user guide.