A communications and IT vendor for 90 percent of the world’s airlines, SITA, has been breached, compromising passenger data stored on the company’s U.S. servers in what the company is calling a “highly sophisticated attack.”
The affected servers are in Atlanta, and belong to the SITA Passenger Service System (SITA PSS), company spokeswoman Edna Ayme-Yahil told Threatpost. SITA PSS operates the systems for processing airline passenger data and belongs to a group of SITA companies, headquartered in the E.U.
Yahil declined to say how many users have been affected for confidentiality reasons, but Singapore Airlines reported more than 580,000 impacted customers alone, meaning the compromise could ultimately impact millions of users.
“Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories,” Yahil said.
Frequent-Flyer Data Compromised
While the company didn’t comment specifically on the types of data exposed, “save to say that it does include some personal data of airline passengers,” Yahil added. “Many airlines have issued public statements confirming what types of data have been affected in relation to their passengers.”
Airline members of the Star Alliance, including Luthansa, New Zealand Air and Singapore Airlines, along with OneWorld members Cathay Pacific, Finnair, Japan Airlines and Malaysia Air, have already started communicating with its at-risk users, Yahil told Threatpost, adding that South Korean airline JeJu Air’s passenger data was also compromised.
“The data security incident occurred at our third-party IT service provider and not Malaysia Airlines’ computer systems,” the Malaysia Air’s Twitter account said about the breach earlier this week, without mentioning SITA by name. “However, the airline is monitoring any suspicious activity concerning its members’ accounts and in constant contact with the affected IT service provider to secure Enrich members’ data and investigate the incident’s scope and causes.”
The systems are linked by SITA PSS so that one airline can recognize frequent-flyer benefits from other carriers.
“SITA PSS was holding the data of airlines that are not its direct customers, but are alliance members, because other airlines that are SITA PSS customers have an obligation to recognize the frequent flyer status of individual passengers and ensure that such passengers receive the appropriate privileges when they fly with them,” Yahil explained to Threatpost. “That obligation arises from the contractual commitments that the other airline has agreed in its contractual arrangements with an alliance organization.”
She added, “It is common practice for alliance members to recognize the frequent-flyer scheme tiers of the passengers they carry. This mandates the sharing of frequent-flyer data amongst alliance members and, consequently, the service providers to those alliance members (such as SITA).”
Airline Supply-Chain Attacks on The Rise
While details on how the attack happened are scant, HackerOne solutions architect Shlomie Liberow said SITA’s trove of personal data would be tantalizing for cybercriminals.
“It’s not clear yet what the attack vector was in the SITA breach, but HackerOne vulnerability data shows that the aviation and aerospace industry see more privilege escalation and SQL-injection vulnerabilities than any other industry, accounting for 57 percent of the vulnerabilities reported to these companies by ethical hackers,” Liberow explained. “SITA would be an attractive target for criminals due to the sensitive nature of the information they hold — names, addresses, passport data.”
Liberow said it’s time for the airlines to dig in on securing their systems.
“We’ve seen the aviation industry particularly hard hit over the past year, perhaps because criminals know they will be vulnerable and their focus and priorities on remaining in business. However, traditional enterprises like airlines have always been an attractive target since few are digital-first businesses, and therefore have relied on legacy software, which is more likely to be out-of-date or have existing vulnerabilities that can be exploited,” Liberow added.
Locking Down the Software Supply Chain
The breach is yet another in a long list of recent brutal attacks on third-party supply-chain providers to target larger, more secure organizations. The most well-known recent event is the SolarWinds breach of the U.S. government; and there’s also the spate of global zero-day attacks on users of the Accellion legacy File Transfer Appliance product.
“The proliferated effect of the attack on SITA is yet another example of how vulnerable organizations can be solely on the basis of their connections to third-party vendors,” said Ran Nahmias, co-founder of Cyberpion. “If these kinds of seemingly legitimate connections are not properly monitored and protected, they can result in damaging breaches that unleash highly confidential data, as evidenced in this situation.”
That means it’s up to IT teams to evaluate the security of every company within their perimeter, Demi Ben-Air from Panorays said.
“You simply cannot know whether your third parties meet your company’s security controls and risk appetite until you’ve completed a full vendor security assessment on them,” Den-Air explained. “But through automated questionnaires, external footprint assessments and taking into consideration the business impact of the relationship, you can get a clear, up-to-date picture of supplier security risk. It’s important to note that the best practice is not a ‘one-and-done’ activity, but through real-time, continuous monitoring.”
David Wheeler, director of open-source supply-chain security at the Linux Foundation, explained during a recent Threatpost webinar on how to lock down the supply chain that security-savvy IT pros should start asking for SBOMs, or a software bill of materials, before using any third-party solution. This will help ensure that the platform was written securely and with reliable code.
“Today’s data breaches tell us it’s no longer enough to secure your perimeter; you also have to secure your third parties, and their third parties,” Ben-Ari warned.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community: