A breach of a third party vendor used by some airlines to process pilot job applications has exposed at least 8,700 records, according to data breach disclosures made by American and Southwest Airlines.
Pilot Credentials is an online recruitment service through which pilots can store a profile of their experience and education. Certain airlines, primarily American and Southwest, maintain their own portal page at the site that interfaces with their internal employment and screening process. These portals have been disabled in the wake of the data breach.
Third party vendor breach may have exposed highly sensitive job applicant information
The breach reportedly took place on April 30, with Pilot Credentials notifying the airlines of it on May 3. American and Southwest Airlines both filed data breach notifications last week with Maine’s Office of the Attorney General, with American reporting the loss of 5745 records and Southwest reporting 3009.
The data breach notifications advise that the records may have contained highly sensitive information: Social Security numbers, driver’s license numbers, passport numbers, dates of birth, Airman Certificate numbers, and other government-issued identification numbers. The airlines have said that they have cut ties with the third party vendor and are now directing all applicants to their own internal systems.
Both airlines claim that there is “no evidence” of this information being “misused,” but that usually means that it has simply not popped up for public offer on a dark web forum as of yet. The information may be traded privately, or the hackers may opt to make use of it themselves in an assortment of scams and targeted phishing schemes. Pilots that made use of the third party vendor, even those that did not have applications in with Southwest or American, are advised to be on heightened alert for these sorts of attempts in the near future.
There is still little information available about how exactly Pilot Credentials was breached. The data breach notification only indicates that an “unauthorized individual” gained access for at least one day and exfiltrated sensitive information. Without knowing whether that was a known criminal hacking group or some sort of disgruntled former employee of the third party vendor, it is impossible to know how far the stolen information has traveled or exactly what level of risk the impacted pilots are facing. The Pilot Credentials FAQ https://pilotcredentials.com/faq says that it does not store any sensitive or personal information on its own servers, indicating that this breach may be limited to those that filed applications with American or Southwest via their portals.
American Airlines has had something of a string of data breaches since 2021, though not all of the most recent involved third party vendors. The airline was hit by email phishing attacks that targeted its employees in both July and September 2022, something that ultimately led to the compromise of over 1,700 employee and customer records. In March 2021, the servers of IT contractor SITA were breached leading to compromise of a Passenger Service System (PSS) used by American (and a number of other airlines) for functions like ticketing and boarding.
Vendor data breaches continue to haunt organizations
As American’s recent history demonstrates, organizations continue to struggle with both internal and third party vendor security. There continues to be relatively minimal control over the latter; all organizations can do is subject their vendors to greater scrutiny and stricter contractual obligation, a situation that can become onerous.
According to Oz Alashe MBE, CEO of CybSafe: “Organisations need to do more to stress the importance of cyber security across all partnerships. While technical solutions are important, equal emphasis should be placed on how we view cyber security from a human, behavioural perspective. People are the first and last line of defence in protecting a company’s data, and organisations should be giving them the tools to be part of the solution. We will make significant improvements by targeting the specific behaviours that leave individuals vulnerable to attack and addressing them through positive cooperation.”
Minimum standards are generally that third party vendors with access to sensitive information have independent security auditing done at least annually, to include practical tests involving employees such as simulated social engineering and phishing. However, and as one might anticipate given that this is not legally mandatory in a lot of industries, this tends to not happen. A 2022 report from IBM and the Ponemon Institute found that a little over half of all organizations do not even maintain a complete list of all the vendors that have access to their internal network, and 65% do not have a process in place to identify the vendors that have access to sensitive data.
Roy Akerman, Co-Founder & CEO of Rezonate, notes that these organizations are ignoring the largest statistical risk: “Third party access and supply chain risks continue to be the leading reasons for recent security breaches. Whether critical information is managed by a third-party application, or a vendor has direct access to one’s infrastructure, additional security risk is introduced and therefore must be monitored and controlled. While organizations are realizing more and more that third party risk is their risk, more work is required to enable this awareness across people, technology and processes.”
And in absence of a federal standard, varying state data breach laws can create a compliance headache. Each state has its own disclosure laws, and while they tend to share some similar core components they also have some major differences as involves requirements for third party vendors with access to a primary company’s sensitive internal data. This creates variance in what organizations can legally compel their vendors to do based on the range of states they are operating in. And the issue becomes even more of a headache when some of those vendors are based in foreign countries.
Erfan Shadabi, cybersecurity expert with comforte AG, suggests some technical measures to help stop third party vendor data breaches before they even become an issue: “To mitigate the risks posed by data breaches, organizations across industries should adopt data-centric security approaches like tokenization and format preserving encryption. Tokenization replaces sensitive data with non-sensitive tokens, rendering the stolen information useless to unauthorized individuals. Format preserving encryption protects the data’s format while encrypting it, enabling secure storage and transmission while maintaining its usability. These techniques enhance data security by limiting exposure, reducing the value of stolen data, and minimizing the potential impact of breaches.”
Sally Vincent, Senior Threat Research Engineer at LogRhythm, adds that airlines (and all sorts of other organizations) have ample room for improvement when it comes to visibility: “In addition to the challenges of managing and detecting threats within an enterprise’s IT infrastructure, assessing third-party risk is also a critical aspect. For airlines, it is essential to have strong communication and notification tools, as well as a deep understanding of how to effectively configure their complex IT environment. This allows them to gain a comprehensive view of anomalous and malicious activities across all fronts, enabling a prompt and thorough response. By implementing a well-configured security monitoring solution that provides complete visibility, including for third-party vendors, it would have been more likely to detect indicators of compromise and mitigate the threat in a timely manner.”