News

Why are airlines failing to keep customer data safe?

On 19th May 2020, EasyJet confirmed that it had been the target of a highly sophisticated cyber-hack. But EasyJet isn’t the only air company to fall foul of data protection laws. So, why are airlines failing to keep customer data safe?

The EasyJet data breach

EasyJet knew about the hack as far back as January but took four months to tell everyone affected. The 2,208 customers who had their credit card details accessed were informed about the EasyJet data hack slightly earlier (April 2020), but that’s still a very significant delay.

Under the General Data Protection Regulation (GDPR), if a breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms”, organisations must inform those involved without undue delay. So why did the airline take so long to warn customers that hackers had their personal information?

CVV details were included in the EasyJet breach

According to the BBC the “stolen credit card data included the three digital security code – known as the CVV number – on the back of the card itself”. Under worldwide Payment Card Industry Data Security Standards (PCI DSS) companies are not allowed to save information about CVV numbers, because, if a hack takes place, and a cybercriminal gets hold of your CVV number (along with other data), the results could be disastrous.

The British Airways data breaches

In 2018, almost 400,000 British Airways (BA) customers had their personal details and bank cards stolen in one of the most severe cyber-attacks in UK history. In response, the airline was fined £20 million by the Information Commissioner’s Office (ICO). But data security at BA is even worse than you might think.  

A series of data protection failures at BA

When investigating the first data failure, a second data breach was also spotted at the airline. In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. This included card numbers, expiry dates, and CVV numbers. And, a further 108,000 people had their personal details stolen. This hack could have left customers exposed for months.

Also, in 2019, security researchers uncovered unencrypted links within BA’s e-ticketing process. And BA is not alone. The security firm also discovered similar weaknesses affecting several other airlines. This includes Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa and Transavia.

This begs the question – why are these airlines not learning from their mistakes?

SITA airline data breach

On 24 February 2021, SITA suffered a “highly sophisticated” attack on its IT systems. SITA is a bookings and reservations system that provides services to many airlines worldwide. SITA stored passenger details on its servers, and some of that information may have been accessed in this breach. As a result, millions of passengers could now be compromised.

SITA has contacted all affected customers (and the related airlines) to let them know about the data breach. If you are concerned – especially if you are a frequent flyer – and you have not received an email about this breach, it is worth checking your spam folder to be sure you are not affected.

The Cathay Pacific data breach

In another airline data breach, Cathay Pacific Airways Limited was fined £500,000 by the ICO following a massive data breach. This was the maximum penalty possible in this case because older data protections laws were in place when the breach happened.

The airline’s failure to secure its systems resulted in the personal details of some 9.4 million customers being exposed. Of these customers, 111,578 were from the UK.

The ICO found a catalogue of errors during its investigation. This included:

  • Back-up files that were not password protected
  • Unpatched internet-facing servers
  • Use of operating systems that were no longer supported by the developer
  • Inadequate anti-virus protection.

To make matters worse, it took more than six months before the breach was made public. During this time, customers of Cathay Pacific were prevented from putting steps in place to protect themselves against cybercriminals.

Should airline passengers be worried about data privacy?

Unfortunately yes. Too many airlines have poor security processes and are reliant on outdated legacy software. This creates vulnerabilities that can be easily exploited. And this makes airlines a very attractive target. Following the 2019 BA data breach, Israel Barak, chief information security officer at cybersecurity company Cybereason, said:
“For the consumer flying with British Airways, or with other carriers, they should be working under the assumption that their personal information has been compromised many times over. “
And, after the EasyJet data breach, James Smith, head of penetration testing at Bridewell Consulting told the Independent that:
“Airlines hold valuable personal information [that] could all be used by criminal organisations to commit identity fraud or further phishing campaigns as part of a larger operation,” he said. “Even the barcode on someone’s airline ticket is a route into gaining personal data.”
Another report highlights the scale of the threat facing travellers, stating that there has been a:
“Massive increase in attacks targeted at the scheduled passenger air transportation sector”.

Indeed, between 2017 and 2018, the number of airline attacks increased by 4,300%.

Get justice for an airline data breach violation

Airlines handle a lot of sensitive personal data, and it is vital that this is kept safe. However, all too often these companies are letting customers down and there has been a massive increase in the number of attacks targeted at the scheduled passenger air transportation sector.

IF YOU HAVE BEEN A VICTIM OF AN AIRLINE DATA BREACH, WE CAN HELP YOU MAKE A NO-WIN, NO-FEE CLAIM FOR COMPENSATION.

Contact Keller Postman UK’s expert data breach lawyers to discuss an airline data breach.

Keller Postman

Share
Published by
Keller Postman
4 years ago

Recent Posts

Latest Data Breach Round-Up – June 2024

In our regular update, we provide a roundup of some of the data breaches and… Read More

5 months ago

Join our MOVEit/ Zellis Data Breach Action

We have launched a group action against MOVEit/Zellis. Group actions can be a powerful tool… Read More

5 months ago

One year on – the extent of the MOVEit data hack is just becoming clear

The number of organisations affected by the MoveIt Data Breach is still rising, despite the… Read More

5 months ago

Join our 23andMe Data Breach Action

We have launched a group action against 23andMe. Group actions can be a powerful tool… Read More

5 months ago

ICO and Canadian counterpart to investigate 23andMe data breach

The Information Commissioner’s Office (ICO) has launched a joint investigation into the 23andMe data breach… Read More

5 months ago

Join Our Capita Data Breach Action

We have launched a group action against Capita. Group actions can be a powerful tool… Read More

5 months ago