Finally, you both deserve and earned that vacation trip to the Bahamas. “I have loads of frequent flyer miles I have use and get there on the cheap.” Or so you thought. The cyberattack on SITA, a commonly used airline service provider, has compromised frequent-flyer data across many airline carriers. SITA is a multinational information technology company providing IT and telecommunication services to the air transport industry. The company provides its services to around 400 members and 2,800 customers worldwide, which it claims is about 90% of the world's airline business. Around the world, nearly every passenger flight relies on SITA technology. SITA has been breached, compromising passenger data stored on the company’s US servers in what the company is calling a “highly sophisticated attack.” Put your new bikini away for now.
The affected servers are in Atlanta and belong to the SITA Passenger Service System (SITA PSS), company spokeswoman stated. SITA PSS operates the systems for processing airline passenger data and belongs to a group of SITA companies, headquartered in Europe. Malaysia Air and Singapore Airlines have already made headlines in recently after alerting their customers they have been compromised as part of the attack.
SITA declined to say how many users have been affected for confidentiality reasons, but Singapore Airlines reported more than 580,000 impacted customers alone, meaning the compromise could ultimately impact millions of users. “Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories,” SITA said. While the company did not comment specifically on the types of data exposed, “save to say that it does include some personal data of airline passengers. Many airlines have issued public statements confirming what types of data have been affected in relation to their passengers.”
Airline members of the Star Alliance, including Luthansa, New Zealand Air and Singapore Airlines, along with OneWorld members Cathay Pacific, Finnair, Japan Airlines and Malaysia Air, have already started communicating with its at-risk users, adding that South Korean airline JeJu Air’s passenger data was also compromised. “The data security incident occurred at our third-party IT service provider and not Malaysia Airlines’ computer systems,” the Malaysia Air’s Twitter account said about the breach earlier this week, without mentioning SITA. “However, the airline is monitoring any suspicious activity concerning its members’ accounts and in constant contact with the affected IT service provider to secure Enrich members’ data and investigate the incident’s scope and causes.”
The systems are linked by SITA PSS so that one airline can recognize frequent-flyer benefits from other carriers. “SITA PSS was holding the data of airlines that are not its direct customers, but are alliance members, because other airlines that are SITA PSS customers have an obligation to recognize the frequent flyer status of individual passengers and ensure that such passengers receive the appropriate privileges when they fly with them,” SITA explained. “That obligation arises from the contractual commitments that the other airline has agreed in its contractual arrangements with an alliance organization.” She added, “It is common practice for alliance members to recognize the frequent-flyer scheme tiers of the passengers they carry. This mandates the sharing of frequent-flyer data amongst alliance members and, consequently, the service providers to those alliance members (such as SITA).”
While details on how the attack happened are close to nil, HackerOne researchers said SITA’s treasure trove of personal data would be tantalizing for cybercriminals. “It’s not clear yet what the attack vector was in the SITA breach, but HackerOne vulnerability data shows that the aviation and aerospace industries see more privilege escalation and SQL-injection vulnerabilities than any other industry. SITA is considered an attractive target for criminals due to the sensitive nature of the information they hold; names, addresses, passport data.
“We have seen the aviation industry particularly hard hit over the past year, perhaps because criminals know they will be vulnerable and their focus and priorities on remaining in business. However, traditional enterprises like airlines have always been an attractive target since few are digital-first businesses, and therefore have relied on legacy software, which is more likely to be out-of-date or have existing vulnerabilities that can be exploited,” a researcher added.
The breach is another in a long list of recent brutal attacks on third-party supply, chain providers to target larger companies, who are traditionally more secure organizations. The most well-known recent event is the SolarWinds breach of the US government; and there is also the spate of global zero-day attacks on users of the Accellion legacy File Transfer Appliance product. “The proliferated effect of the attack on SITA is yet another example of how vulnerable organizations can be solely on the basis of their connections to third-party vendors,” said Cyberpion. “If these kinds of seemingly legitimate connections are not properly monitored and protected, they can result in damaging breaches that unleash highly confidential data, as evidenced in this situation.”
This translates to IT teams having to evaluate the security of every company within their perimeter, a researcher from Panorays said. “You simply cannot know whether your third parties meet your company’s security controls and risk appetite until you’ve completed a full vendor security assessment on them,” Panorays explained. “But through automated questionnaires, external footprint assessments and taking into consideration the business impact of the relationship, you can get a clear, up-to-date picture of supplier security risk. It’s important to note that the best practice is not a ‘one-and-done’ activity, but through real-time, continuous monitoring.”
The Director of open-source supply-chain security at the Linux Foundation, explained during a recent webinar on how to lock down the supply chain that security-savvy IT pros should start asking for SBOMs, or a software bill of materials, before using any third-party solution. This will help ensure that the platform was written securely and with reliable code. “Today’s data breaches tell us it’s no longer enough to secure your perimeter; you also have to secure your third parties, and their third parties,” another words – everyone’s networks.
Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings: