Research into the critical internet security of the travel industry...
Andy Jenkinson
CEO CIP. Fellow Cyber Theory Institute. Director Fintech & Cyber Security Alliance (FITCA) working with Governments. NAMED AN EXPERT IN INTERNET ASSET & DNS VULNERABILITIES
Long before Covid-19 was even thought about back in August 2018, customers of British Airways were merrily booking their flights to far flung and exotic places, only to find out some time later that a) they were actually going nowhere, and b) they had booked flights on a Shadow website due to a series of basic security oversights at BA.
What happened is cyber criminals 'stood up' a website called BAWays.com that was in essence a near carbon copy of BA's own website which emulated all the functions and allowed bookings and payment. To cut a long story short, BA were found guilty of negligence to secure and protect their customers due to said basic security failings. The ICO levied a fine of £183 million which, due to the economic challenges and Covid-19, was greatly reduced to £20 million. BA then borrowed some £2 billion from the government backed by the British taxpayer...
As you can see from the above, British Airways have clearly not learnt a thing from the breach and taken absolutely no action whatsoever so far as improved security. With a Rating of an F and a score of 0 out of 100 yesterday, it is fair to say BA's homepage, and their customers, could not be more vulnerable or exploitable.
So let's look at other Airlines to see if this is a one off, an oversight or is lacking security as systemic as other sectors? In April 2020, easyJet, along with the NCSC, announced they had been breached that January, however decided they would delay informing the public... The Personal Identifiable Information (PII) data was stolen of some nine million customers making it a substantial attack. It was also termed as a the usual 'sophisticated attack'
As you can see from the screenshot above, it also shows basic security was not in place which rendered the easyJet domains Not Secure. This particular screenshot is also rather ironic as this, and the easyJet domain that notified the public of the breach was also, Not Secure. But hey, oversight and errors can occur right. So today when we look at the easyJet homepage it is all good right?
Well, sadly no, it is not. With the same Rating F and score O as BA, easyJet are doing absolutely nothing to improve the protection of the company, or their customers and the current vulnerabilities can be easily, further exploited. Surely this is just an unfortunate coincidence, the wider industry has witnessed these lessons and have learnt from them I hear you cry?
Again, sadly no. In the first week of March 2021, just a few weeks ago, SITA (Star Alliance) suffered a cyber attack which affected many other airlines. Again, this attack was also termed as Sophisticated, which is for two main reasons. 1) it sounds a lot better than we left the digital doors wide open and totally ignored basic security and 2) Insurance companies and Regulators seem to be more lenient when the term Sophisticated is used...
You never hear the following: 'We were negligent and complacent, we simply did not do our jobs properly'.
Malaysia Air were breached in March 2010 and remained exposed until June 2019. With the above research and findings, we would suggest they still are very much exposed.
You may notice a common theme of F Ratings and 0 scores of airlines internet facing homepages. These are the websites millions of customers land on and that are clearly frequently targeted successfully to launch attacks such as Shadow sites, water hole attacks, man in the middle or even domain takeover. What is clear is that the companies themselves are guilty of not taking security clearly and all the time the taxpayers bail them out, so what. The fine from the ICO was pathetic and set the trend for what you witness in this report and that is one of a systemic insecure positions rendering the airlines insecure and breaching all data privacy acts. I am hopeful the Class Law Actions hold these organisations to account and responsible for their negligence. I would urge the CAA to launch investigations into the lack of security as well as the wider Aviation Authorities. They may wish to address their own also...
Maybe the taxpayer needs to lend more money to the airlines so they can address security...
Strategic Director @ McR Defence | Cyber Security Risk Until Ukraine win this war, my posts reflect my personal views.
3 年Even the best is poor. I know organisations who should have security at there core who don’t even meet the most basic security measures on a consistent basis. It can be somewhat depressing. I’m happy when they are fined except they just put up the price of their goods to pay. Maybe the fine should actually be in measured activity on the security front. Just a thought.
cyber security expert
3 年When you board that flight remember a flashdrive is used to update the navigation system. The cockpit has USB Ports that are used for phones and pads. If it isn't a flashdrive it's that old floppy disk created in the 70's hacked by the kid using the call name Elk. Flashdrive, Margaret, 5 min. and you have a flying bomb. Sorry aerospace the shine of your technological brilliance is only in your dog's eye.