Qantas. Hawaiian. WestJet. Air France-KLM. Aeroflot. Each of these airlines has fallen victim to cyberattacks this summer.
And according to cyberdefense experts, it's reasonable to expect that airlines will continue to be targets of hackers, both the cybercriminal and state-sponsored varieties.
Recep Ozdag
"If I were a hacker, that's what I would do," said Recep Ozdag, a vice president in the cybersecurity division of Los Angeles-based Keysight Technologies.
"You've found an industry that is not well-protected. It's critical infrastructure with a lot of sensitive information. Why would I not go after that industry? It's low-hanging fruit.
WestJet was the first of the large airlines to report a breach this summer. Hackers were able to obtain travel-related documents, such as passports, but not payment information.
Hawaiian was struck next, on June 26. The airline didn't offer details on which of its IT systems were compromised, but the incident almost surely played a part in the FBI issuing a warning the following day that a notorious cybercriminal organization called Scattered Spider had turned its attention to the airline industry.
Next came a June 30 attack on Qantas, in which hackers gained access to a customer-servicing platform with the names, email addresses, birth dates and frequent flyer numbers of 6 million customers.
Hackers gained access to similar data from an early August attack on Air France-KLM.
The attack on Russia's Aeroflot in late July stands out among the summer onslaught both for its motive and impact. Two pro-Ukrainian hacking groups, Silent Crow and Belarusian Cyberpartisans, claimed credit for the attack, which unlike the others, impacted operations, forcing Aeroflot to cancel more than 100 flights. The hackers claimed the attack was the culmination of a year's work in which they had destroyed 7,000 Aeroflot servers and obtained control over airline employee computers.
The Aeroflot attack was political in nature, though not perpetrated by a state actor. But cybersecurity veteran Kayne McGladrey, a senior member of IEEE, the world's largest professional society of technologists, said airlines are also under continuous attack by nation states conducting espionage. Carriers, he said, have contracts to transport government workers whose data and itineraries are of interest to foreign spy agencies.
"Statecraft is a feature of the landscape. It's day-to-day normalcy," McGladrey said. "There are folks in government offices who do this for their job."
Even if an airline, perhaps jolted by this summer's events, decides to diligently invest the required resources to harden its systems, the process will take time, Ozdag said.
Large airlines typically rely on a wide mix of operating systems, including legacy technology that is decades old and not easily updated. Plus, their IT systems are sprawling. For example, in the chaos at Delta last year following a failed software update by cybersecurity provider CrowdStrike, the airline had to physically reset 40,000 servers.
"I think there is still an opening," Ozdag said about airline vulnerability, even if they are improving their defenses. "Is it six months? Is it a year? That depends on the airline. But if I'm a hacker, I've come to that conclusion."
Airlines also often rely on third-party providers for IT systems, a weakness that was exploited by hackers this summer. Qantas and Air France-KLM each reported that their customer data breaches came through third-party systems.
In its notice in late June, the FBI said Scattered Spider often uses phishing attacks -- impersonating employees or contractors to deceive IT help desks into granting access to internal systems. Ozdag, who works directly with aviation-aligned systems to help simulate real-world attack scenarios, said approximately 80% of successful hacks and system takeovers use similar types of social engineering attacks. The other 20% involve more direct methods, such as physical takeovers of IP systems and remote attacks on WiFi networks.
Kayne McGladrey
He said one reason airlines aren't as well protected as they could be is that they don't have the strong cybersecurity regulatory requirements that the financial services and healthcare sectors do. Still, he said, carriers should spend more on cyber audits, testing and security updates.
As far as attacks by state espionage services, McGladrey said airlines aren't the only target within the travel industry. An attack on the reservation system of Marriott's Starwood brands in 2018, which exposed nearly 500 million customer records, is believed to have been perpetrated by China.
Generally, espionage attacks aren't geared toward credit card fraud and personal account takeovers the way criminal cyberattacks can be, McGladrey said, but there's always a chance a government hacker will moonlight on the dark web.
While there's not much travelers can do to protect their data that is held by airlines, one step he suggests is putting a freeze on credit reports, which can prevent the unauthorized setup of new accounts.