Airline data breaches raise questions of accountability

Rotation

The data breach at Cathay Pacific and Hong Kong Dragon Airlines, which exposed the sensitive personal and financial details of up to 9.4 million customers, is certainly not the first and probably won’t be the last such event in commercial aviation. The likelihood of further hacks raises alarms about the adequacy of airlines’ data security practices, and their handling of events when they happen.

Closely following Cathay’s disclosure this week, British Airways updated the number of customers affected by the data breach it announced in September. Working with specialists, cyber forensic investigators, and the UK’s National Crime Agency, BA’s follow-up investigation led the carrier to notify a further 77,000 customers that their payment cards may have been compromised, including the CVV code, and 108,000 customers without the CVV code.

“The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card,” the airline stated. BA also said that, of the previous 380,000 customer payment card details announced, only 244,000 were affected. The airline added that there have been no verified cases of fraud.

The types of data exposed in the Cathay breach includes passenger names, nationalities, dates of birth, contact details, passport numbers and other identity document numbers, frequent flyer program membership numbers; as well as customer service remarks and historical travel information. Cathay also said that 403 expired credit card numbers were accessed and 27 credit card numbers were accessed, with no CVV.

But it is perhaps the airline’s failure to notify customers in a timely manner that is most worrying. Cathay first discovered the breach in March and confirmed it in May of this year. Though Cathay’s CEO, Rupert Hogg, followed the lead of BA CEO Alex Cruz by issuing an apology to customers this week, there hasn’t been a clear statement on why Cathay waited so long to make the breach public.

Airlines sit on a wealth of identity and financial data which makes them attractive targets for these exploits, but they have a duty to care for the information that customers entrust to them and to be transparent on how it is handled.

“I think it’s the duty of any organization who manages data to make sure that they have the highest level of security compliance and that they are supporting each other,” Rob Sinclair Barnes, strategic marketing director, airline, at Amadeus tells the Runway Girl Network. “It comes down to accountability of every single company.”

Amadeus has ongoing security compliance training for staff with twice-yearly “bootcamps” that cover sensitive matters of data security and best practices. “Every one of our employees is data security compliance trained and they have to go through rigorous process training twice a year. Everyone has to achieve a standard of data compliance, or they have to go back to boot camp and retrain. Only once they passed it can they then be allowed back in to access our system,” says Sinclair.

Amadeus also extends security training to its customers with regular forums and workshops and by keeping customers informed of the latest threats in the marketplace, as well as educated about the regulations that impact the use and storage of data—such as the EU’s GDPR (General Data Protection Regulation).

Rotation

There are other factors besides hacking to worry about.

“Data security isn’t just about cyber security. It is also about security in the building,” adds Sinclair. “Some people are trying to get access to buildings – trying to get in as cleaners, etc – to access computers that are not properly password protected. Data breach is not just about data but about how people are trying to infiltrate and penetrate buildings from all sides – it continuous throughout.”

IATA, ACI and ICAO have all raised alarms about cyberthreats to aviation, are collaborating on solutions, and have called on governments to provide a stronger security framework.

“Personally, I don’t think there is enough visibility about this,” says Sinclair. “I believe it is a big threat and something that we are underestimating as a global environment. From that point of view, any government should support all businesses – small and large – in terms how to make best use of data compliance and at the same time protect international breaches.”

Related Articles: