Sofema Aviation Services (SAS) considers several examples of Cybersecurity Breaches
Introduction
The following examples illustrate how vulnerabilities, whether in operations, IT infrastructure, or third-party systems, can impact aviation safety, continuity, and reputation.
British Airways Data Breach (2018)
Type: Data Theft
Impact: 500,000 customer records compromised
Method: Injection of malicious code via third-party scripts on the website and mobile app
Operator Impact:
- Severe reputational damage
- £20 million ICO fine (reduced from the initial £183 million)
- Customer trust erosion and legal action
Lessons for Operators:
- Cybersecurity must extend to all digital touchpoints, including websites and mobile apps.
- Third-party scripts and plugins are often overlooked but can be critical vulnerabilities.
- Operators must conduct rigorous vendor risk assessments and continuous monitoring.
LOT Polish Airlines System Hack (2015)
Type: Operational Disruption
Impact: Over 10 flights cancelled, 1,400 passengers affected
Method: Attack on ground operations—flight plan system at Warsaw Chopin Airport
Operator Impact:
- Disrupted flight schedules for over 5 hours
- No aircraft systems were compromised, but dispatch and planning were halted
Lessons for Operators:
- Critical ground-based systems such as flight planning, load sheets, and dispatch must be cyber-resilient.
- Incident response plans must include rapid restoration procedures for core flight operation systems.
Cathay Pacific Breach (2018)
Type: Personal Data Breach
Impact: ~9.4 million passengers’ data compromised
Method: Undetected system intrusion over several months
Operator Impact:
- Serious regulatory scrutiny and public backlash
- £500,000 fine by the UK ICO due to failure to secure personal data Lessons for Operators:
- Continuous network monitoring and intrusion detection are crucial for early breach identification.
- Cybersecurity isn’t just an IT issue—it’s a corporate governance and compliance matter.
United Airlines Bug Bounty Disclosure (2015)
Type: Ethical Disclosure / Vulnerability Exposure
Impact: Reward of 1 million frequent-flyer miles to a researcher
Method: An Ethical hacker reported a vulnerability in the airline’s website
Operator Impact:
- Demonstrated proactive use of a bug bounty program
- Helped improve system security while encouraging responsible disclosure Lessons for Operators:
- Establishing bug bounty programs or secure vulnerability disclosure policies can proactively uncover flaws.
- Partnering with ethical hackers can strengthen perimeter and internal defences.
SITA Passenger Service System Breach (2021)
Type: Supply Chain Breach
Impact: Data of millions of passengers across multiple global airlines compromised
Method: Breach of SITA’s Passenger Service System (used by over 90% of airlines)
Operator Impact:
- Exposed sensitive data, including frequent flyer records
- Airlines affected: Lufthansa, Singapore Airlines, Air New Zealand, and others
Lessons for Operators:
- Reliance on third-party providers necessitates joint cybersecurity frameworks and accountability.
- Operators must demand compliance with security standards (e.g., ISO 27001) from suppliers and subcontractors.
Key Takeaways for Commercial Aircraft Operators
- Cybersecurity is operational security: Attacks can directly affect flight operations, not just data systems.
- Third-party risks are real: Vendor access to critical systems is often the weakest link.
- Compliance is not optional: Fines and reputational damage are severe consequences of neglect.
- Proactive defence matters: Bug bounty programs, penetration testing, and continuous monitoring help reduce exposure.
- Training and awareness: Staff at all levels should be trained to recognize cyber risks, especially those in operations, IT, and customer service.
Next Steps
Follow this link to our Library to find & download related documents for Free.
Sofema Aviation Services and Sofema Online provide Information and Cyber Security Regulatory Training as Classroom, Webinar and Online Training – Please see the websites or email [email protected].
Tags:
Commercial Aircraft Operators, Passenger Service System Breach, Bug Bounty Disclosure, System Hack, Data Breach, LOT Polish Airlines, reputation, third-party systems, vulnerabilities, aviation safety, SITA, aviation cybersecurity, IT infrastructure, Cathay Pacific, Case Studies, United Airlines, British Airways, sasblogs
