Airlines and Personal Data: A Flight of Fancy
When you purchase a ticket for a flight, be it domestic or international, most are thinking of the purpose of that ticket: to travel from point A to point B. Those invested in the privacy and compliance discussion have since the dawn of the internet noted that airlines have always collected your name, contact data, emergency contact data and of, course payment information—our credit cards. We’ve often—perhaps too often—trusted the airlines to protect our data as they would our lives. Few if any of us think twice about providing our personal identifying information (PII) to the airlines if it will get us through the airport and onto the aircraft faster, and perhaps make us eligible for a perk or two.
Maybe we should.
Data Breach: British Airways
British Airways announced it incurred a breach sometime between Aug. 21 and Sept. 5 of its website and mobile application, impacting 380,000 of its travelers. What did the company lose? According to the airline’s statement, the personal and financial details of customers—including name, billing address and bank card details—were “all at risk.”
In late October, after having had approximately a month to dissect the event, British Airways revised the number of affected customers to 244,000.
The company also announced that a further 185,000 customers had been compromised in a separate incident involving transactions that occurred between April 21 and July 28. British Airways added, “Crucially, we have had no verified cases of fraud.” That might mean that the company is communicating with the payment card providers or it hasn’t seen any attempts to use the cards that were identified as compromised attempt to engage in a transaction with British Airways. I’m going with the latter.
How did it happen?
According to ARSTechnica, the August/September 2018 breach occurred via a “highly targeted approach” that evolved from careful dissection of the British Airways site and then crafting 22 lines of JavaScript code injected into the site, which would generate a duplicate copy of each transaction.
Data Breach: Cathay Pacific
Then we have a far larger compromise that occurred at Cathay Pacific and its subsidiary airline, Dragon Airlines, affectinh 9.4 million passengers. In late October, the airline announced that it had discovered unauthorized access to its information technology (IT) systems. The company led the announcement with the assurances to affected passengers: “The company has no evidence than any personal information has been misused.”
What was compromised?
Cathay Pacific listed the following information as being compromised: passenger name, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer programmed membership number, customer service remarks and historical travel information. In addition, 403 expired credit card numbers were accessed. Twenty-seven credit card numbers with no CVV were accessed. The combination of data accessed varies for each affected passenger.
In a nutshell, what was accessed was all of the data a traveler would have in its profile for international travel—and all the information necessary for an interested party with ill intent to begin the identity theft process.
While heartening that the airline has no evidence that any of the information has been “misused,” one must ask: How is Cathay Pacific monitoring the identities of 9.4 million customers? The airline continues to update its customers via a dedicated website, the most recent dated late October, where again it reassured its customers, but also noted that phishing is taking place and spoofing of the company’s enhanced security protocols are being attempted.
Data Breach: Air Canada
In late-August, Air Canada announced that between Aug. 22 and 24, the company detected “unusual log-in behavior” on its mobile application. When detected, the airline took action to block the attempted log-in and locked down the mobile app to protect customer data.
Their prompt action kept the number of affected customers to approximately 20,000 out of a population of 1.7 million. The affected individuals would have had name, address, email address, telephone number, Aeroplan number, passport number, NEXUS number, Known Traveler Number, gender, date of birth and nationality exposed, but their credit card information would not have been compromised.
The airline—like the others, always ready to put the best possible light on the event—noted that the Government of Canada assures individuals that the “risk of a third party getting a passport in your name is low, if you still have your passport, proof of citizenship and supporting identifying documents.” It doesn’t speculate as to how the thieves may monetize the information stolen.
So, as we head into the holiday travel season, pay attention to what you are sharing with the airlines. Remember: Flying aircraft safely is their primary skillset; infosec and your information may be further down the list of their priorities, as evidenced by the recent spate of breaches.
