The ultra-sensitive airport sector is garnering growing interest among cyber criminals. And computer threats against airports are also targeting planes, airlines… and actual passengers. Considering factors such as the financial cost of an immobilized fleet, the economic consequences of an airport operating at reduced speed, and the anger and dissatisfaction of passengers whose personal data are stolen, cybersecurity in the airport industry is becoming a real issue. We look back at ten notable cyberattacks in the industry.
2015: DDoS attack on an airline leaves 1,400 passengers stranded at Warsaw airport
In June 2015, Polish airline LOT was the target of a cyber attack resulting in the paralysis of part of its air fleet for several hours, in the heart of Warsaw airport. No fewer than 1,400 of the airline's passengers were stranded, with ten flights cancelled and fifteen others delayed. According to experts, this aerial chaos was due to a DDoS attack against LOT, apparently resulting in the saturation of the airline's information systems, preventing it from operating its normal flight plans.
2016 & 2017: Boryspil airport in Kiev, twice victim of attacks against Ukraine
In 2016, Ukraine experienced a wave of cyber attacks that hit the country's critical infrastructure, with Russia suspected of being the source of these sabotages. Kiev's Boryspil International Airport was one of the structures targeted by the attackers, and appears to have been infected with the BlackEnergy malware. According to the Ukrainian CERT (CERT-UA), the malware was countered in time, thus preventing any propagation within the airport's information systems.
In 2017, Ukraine was once again hit by a wave of cyberattacks that simultaneously affected a number of infrastructures and companies in countries such as Russia, Spain, Great Britain and France. This time, GoldenEye ransomware was identified as the attack vector, resulting in the unavailability of part of the IT equipment at Kiev airport.
2017: Heathrow Airport leaks highly confidential data
In 2017, the UK's Heathrow airport was criticised for its negligence in protecting confidential information: one of the employees of the airport is said to have lost a USB key containing 76 folders and more than 1,000 confidential files relating to the identity of passengers, the routes taken by official members of the British government, and information related to the airport's surveillance cameras and runways. All the data were easily accessible: the USB key featured neither a password nor an encryption system. The individual who found this key immediately alerted the press and returned the device to airport services. For its part, Heathrow was fined 140,000 euros for non-compliance with confidential data protection regulations.
2018: a flaw in an Air Canada mobile app exposes 20,000 customers
In August 2018, the Air Canada airline detected unusual activity on its mobile application intended for the company's customers. After three days of analysis, the IT teams confirmed that the mobile application had been hacked, exposing the data of 20,000 customers. According to the company, information relating to passenger journeys and identities – addresses, passport numbers, dates of birth, etc. – had been exposed, but apparently no banking data was compromised. As a security measure, Air Canada reset the application's 1.7 million user accounts after discovering the flaw.
2018: British Airways suffers massive customer data leak
In September 2018, British Airways was the victim of a massive data breach impacting its customers and staff members. According to the Information Commissioner's Office (ICO), attackers hijacked the traffic of thousands of customers who believed they were connecting to the official British Airways website, but had in fact been redirected to a fraudulent site. Over a two-month period, cyber criminals were apparently able to collect the personal data of 400,000 people, including banking data. In addition, the usernames and passwords of a number of British Airways employees, along with access to administrator accounts belonging to IT teams, were also allegedly exposed. The ICO stated that this information leak could have been avoided if British Airways had taken the necessary cybersecurity measures. The airline was therefore fined $26 million for its failings, and has since strengthened its computer security systems.
2018: Cathay Airways security flaws exploited for malicious purposes
Several security flaws in Cathay Airways' information systems were allegedly exploited for malicious purposes between March and October 2018, resulting in the disclosure of data belonging to 9.4 million customers. According (again) to the ICO, the attackers were able to penetrate the systems of Cathay Airways on several occasions, injecting a malware tool to harvest the company's customer data. Similarly to British Airways, Cathay Airways was ordered to pay a fine of nearly $700,000 for breaching the protection of its customers’ data. This information leak is, to date, the largest ever to hit the airport industry.
2020: Information of 9 million EasyJet customers leaked after a cyberattack
Two years later, in 2020, it was the turn of the EasyJet airline to be the victim of a major data breach. The personal data of nine million customers were exposed, including bank details for more than 2,000 of them. Although the investigation is still ongoing, there would seem to be nothing coincidental about the fact that this attack occurred at the height of the health crisis. According to some experts, the Covid-19 situation has created a renewed interest among cyber-criminals in personal data, which is subsequently reused for fraudulent purposes.
2020: two San Francisco airport websites hacked
Two login portals – one reserved for employees, the other for partners and service providers – at San Francisco International Airport were reportedly hacked in March 2020. Malicious code was injected on these two sites in order to harvest the usernames and passwords used at the time of login. The number of accounts exposed is not yet known, but the airport took immediate preventive measures and reset all the passwords of its employees and customers.
2020: several attempted attacks foiled by Prague airport
Vaclav Havel Airport in Prague confirmed it had been the target of multiple cyberattack attempts against its systems in April 2020, along with two hospitals in the country, which were also targeted at the same time. According to the NUKIB – the country's national information systems security authority – cyber criminals attempted to inject malware designed to damage or even destroy infected workstations. In Vaclav Havel airport's case, however, IT teams appear to have detected the attackers at a sufficiently early stage, during their exploratory phases, enabling them to react as quickly as possible and prevent any attack from being perpetrated on their systems.
2021: an IT supplier in the airport industry falls victim to a cyberattack
The company SITA, which develops software and solutions used by thousands of players in the airport industry, was reportedly the victim of a cyberattack in March this year. Early findings of the investigation, still in progress, suggest that the cybercriminals’ targets were servers hosting the data of airlines’ customers. The company has not yet officially commented on the scale of this attack, but the repercussions on its various customers could be significant, as illustrated by the statement released by the Air India airline in May, reporting that the attack suffered by SITA has resulted in the theft of the data of 4.5 million of the Indian company's passengers.