SITA, which handles a variety of digital services for about 90% of the world’s airlines, issued a statement indicating that it experienced a “serious” and “highly sophisticated” data breach on February 24. The incident is shaping up to be a very large example of a supply chain attack, with a number of major airlines reporting that their frequent flyer programs were compromised as a result of the breach.
SITA attack impacts major airlines throughout the world
SITA handles a broad profile of online services for nearly all of the world’s major airlines: reservations, issuing of tickets, management of departure times and administration of rewards and frequent flyer programs. It is that lattermost component that seems to have been the focus of the attack, given that a number of major airlines have followed up by issuing statements indicating that their frequent flyer programs have been compromised. SITA has yet to inform the public of the full extent of the breach, keeping its initial announcement very short and low on specifics. The company told TechCrunch that it will release more information pending an internal investigation into the incident.
The airlines that have already released their own statements regarding a breach of their frequent flier programs include United, American Airlines, Lufthansa, Cathay Pacific, Singapore Airlines, Air New Zealand, Malaysia Airlines, FinnAir and Jeju Air. The breach appears to include data from customers that were registered with these programs from March 2010 to June 2019.
United Airlines told its customers that members of its Star Alliance frequent flyer program had some unspecified data exposed, but it did not contain personal information or passwords. American Airlines sent a similar notification to customers that use its AAdvantage rewards program. Singapore Airlines said that about half a million of its customers in its KrisFlyer program had their membership numbers and tier status exposed, but not any personal or login information. Malaysia Airlines, FinnAir and Air New Zealand also issued emails or statements to the same effect.
While SITA has some 90% of the world’s airlines as its clients, not all of those clients contract with it for anything related to their frequent flier programs. Since early 2020, SITA has offered what is essentially a “frequent flyer program in a box” service to major airlines. The internal workings of it are unclear, but it would appear that sensitive personal information may stay with the local airline servers given that most are reporting that only superficial details of loyalty accounts were exposed.
It will probably remain unclear exactly what the scope of this supply chain attack is until SITA completes its internal investigation. In the meantime, some of the major airlines have advised customers to change their loyalty account login passwords out of an abundance of caution. Loyalty programs are of great interest to hackers as they provide a variety of personal information that can be used for more targeted scams and attacks, and accumulated loyalty points can frequently be cashed out for gift cards that are very difficult to track or cancel once they cross international borders. With just a loyalty program number, hackers can forge an authentic-looking phishing email that might trick customers into logging in via an attack site that captures their information or might convince them to open an attachment that contains malware.
Data breaches of the sort that hit the major airlines often initially appear to be much smaller than they actually were, before investigations and audits are completed. While the hope is that this supply chain attack revealed only relatively basic frequent flyer program information, Andrew Barratt, Managing Principal of Solutions and Investigations at Coalfire, speculates on what else the hackers might have had access to given what we know at this time: “Airlines are a rich source of information, with a big supply of Passenger Name Records (PNRs) that are used to share information between booking systems, global distribution systems (GDS) and hotels … Airlines in general are a high profile target, with loyalty data that can be easily monetized and huge volumes of data including often a large volume of payment data as was seen in the British Airways breach.”
Supply chain attacks remain in the headlines
Supply chain attacks have been an intractable problem for all types of organizations for years, particularly large ones that can have hundreds to thousands of various vendors and contractors. However, these attacks seem to have become a more acute and high-profile problem in the past year or so. As Sanjay Aurora, Managing Director of APAC at Darktrace, notes: “Supply chain attacks have surged at an alarming rate in recent months – from the SolarWinds Orion campaign to the recent attack on Centreon software, we’re seeing that third-party software is an attractive place for attackers to plant themselves and sneak inside their targets. Complex global supply chains offer those with criminal intent many points of vulnerability that may be tested in the pursuit of compromising systems … The challenge that businesses must face urgently is not an audit of all their suppliers but how to manage the pervasive risk that suppliers from all over the world bring. That’s why a growing number of companies today are adopting a zero-trust policy when it comes to both their internal environment and supply chain.”
SolarWinds was the most egregious and high-profile example of a supply chain attack in some time, apparently originating from a highly sophisticated nation-state threat actor and impacting some 18,000 organizations including government agencies and Fortune 500 companies. Though it is a headlining example, the SolarWinds attack is merely part of a growing trend toward supply chain attacks among the most sophisticated nation-state groups and cyber criminals; some variants of these attacks, such as the seeding of open source projects with vulnerabilities, are up as much as 430% in the past year.
Attackers know that government agencies and large enterprise-scale organizations face inherent difficulties in securing the full scope of their sprawling supply chains from cyber attacks. In some cases, a lack of adequate legal and regulatory frameworks fails to put adequate pressure on organizations to keep their security up. But even when larger organizations commit to doing the right thing and have contracts and regulations in place behind them, smaller vendors will sometimes skirt the rules anyway due to cost, lack of competence or even the workings of a rogue employee. The more vendors to manage, the more likely it is that one of these things happens at some point.
So what can be done about this problem? Timothy Chiu, Vice President of Marketing for K2 Cyber Security, suggests that compliance with established security frameworks is one of the first things to look at: “Making sure your organization only shares the essential data needed, and verifying that your partners and suppliers are implementing and following a security framework, like the one outlined by NIST (National Institute of Standards and Technology) in SP800-53, is as important as making sure your own organization is secure … Even NIST recognizes that attacks on applications and the loss of data from those attacks have increasingly become a problem. NIST added specific requirements around application security, RASP and IAST, in their latest revision of the SP800-53 security policy framework that was released in September of 2020.”
Demi Ben-Ari, Co-founder and CTO of Panorays, also notes that rigorous ongoing auditing and monitoring is becoming a reality given the present circumstances: “You simply cannot know whether your third parties meet your company’s security controls and risk appetite until you’ve completed a full vendor security assessment on them. But through automated questionnaires, external footprint assessments, and taking into consideration the business impact of the relationship, you can get a clear, up-to-date picture of supplier security risk. It’s important to note that the best practice is not a ‘one-and-done’ activity, but through real-time, continuous monitoring.”