Cyber Turbulence for Major Airlines

A series of data breaches put a spotlight on cybersecurity risk in the airline industry.


Over the past several weeks, we have heard of the breaches at a number of airlines. Just this week, Cathay Pacific disclosed that a security breach compromised the personal information of 9.4 million of its customers. Several colleagues and I travel for a living in Canada and were affected by the Air Canada breach. While any breach of cybersecurity is never a good thing, a breach of an airline can be catastrophic—not only for the people involved but for the industry in general.

What do we know about these breaches? Here are some of the key things we know so far:

Air Canada Data Breach

What happened? Air Canada revealed a data breach on its mobile app, which the airline said may affect 20,000 people—or 1 percent—of its 1.7 million app users. The company said it had “detected unusual log-in behavior” occurring between August 22 and 24, 2018.

What was compromised? Names, email addresses, phone numbers, gender, dates of birth, passport numbers and expiry date, passport country of issuance, NEXUS numbers, and countries of residence.

British Airways Data Breach

What happened? Between 10:58 p.m. on August 21 and 9:45 p.m. on September 5, 2018, hackers stole the personal and financial details of people who booked flights on the British Airways website and mobile app. According to the company, an undisclosed “third party” notified them of suspicious activity. Later analysis suggests that the hack was caused by a credit card skimming malware installed by hackers on British Airways’ website.

What was compromised? Names, addresses, emails and credit card details including card numbers, expiration dates, and security codes.

Cathay Pacific Data Breach

What happened? Cathay Pacific revealed on October 24, 2018, that “unauthorized access to its systems” compromised personal information of 9.4 million customers. The company discovered “unusual activity on their network” in March 2018, and in May, it confirmed the activity was unauthorized access. Details are still being gleaned, and I am sure more will come out over the next several weeks.

What was compromised? Passenger names, dates of birth, nationalities, phone numbers, email addresses, mailing addresses, and passport and identity card numbers.

Airlines have a treasure trove of personal information on us. They have our most private identity details: when and where we travel, who we travel with, and when we are away from home. This opens us up to all types of threats to ourselves and our family.  

The Cathay Pacific and Air Canada breaches have been the most troubling. Because of the data compromised from those two airlines, 20,000 Air Canada passengers and 9.4 million Cathay Pacific passengers are in serious risk of not only credit fraud, but full identity theft including national identity cards, passports and trusted travel programs. Knowing that my data is probably for sale somewhere and could be used for nefarious activity is quite frightening. Think of someone impersonating you with a forged passport and traveling to locations known for terrorist or criminal activity—using it to cross international borders for smuggling or illegal entry.  Imagine how long it would take to clear up your name. The hassles at the border and trying to renew personal identification could be a lifetime pain and frustration.

Besides the concern caused by these breaches, the language used by Air Canada and Cathay Pacific in describing what took place is just as disconcerting (Air Canada: “unusual login patterns” and Cathay Pacific: “unusual activity on their network”).   

When the airlines say “unusual,” it means that their current methods of cybersecurity did not catch this activity. As I have talked about in previous blogs, it is hard to rely on traditional tools that are static or make a simple trusted or untrusted decisions. Most often, the traditional systems create more noise than signal. If you want to detect the unusual then you need a tool that can understand what normal is for all the entities potentially at risk. The measure of unusual will not be a 1 or 0 answer—it will be a continuum of risk as new activities are observed. As the risk increases, it can be remediated before the breach happens. The bad guys may steal tens, hundreds or thousands of identities, but they would not get tens of thousands or multiple millions.

The “unusual” will be the new normal for cybersecurity, and unfortunately, traditional tools can’t handle “unusual” effectively. It’s time for a different approach. Interset user and entity behavioral analytics (UEBA) is designed for the strange and unusual—it does not need to know ahead of time what the unusual is, but instead what normal is and, from there, it can find the “unusual’.

Contact us at securityai@interset.com to learn how you can be proactive about security and catch unusual behavior before it does serious damage.