2018 has already been a troubling year for UK businesses when it comes to cyber-attacks. It was even revealed that the average value of fines issued by the Information Commissioners Office has doubled over the last year. One individual area that has been hit particularly hard has been the airline industry. With the holiday season approaching, will more flyers be let down by poor IT?
The plethora of data breaches we have witnessed over the past year has been remarkable, with British Airways reporting two separate hacks, with it being announced recently that the data hack was more far-reaching that initially suspected. Russian airline, Aeroflot, reported a Docker registry vulnerability to the public internet back in September this year, and we can’t forget the very recent Cathay Pacific data breach, of which around 9.4 million passengers of Cathay and its unit Hong Kong Dragon Airlines Limited had been accessed without authorization. This included 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).
Using the latest BA data breach revelation as an example, these breaches could suggest a lack of focus from airlines. Is it possible that airlines are investing too much in keeping their aircraft in the sky, as opposed to guarding passenger data on the ground, in their own IT systems?
It’s disheartening but not surprising that hackers exploited British Airways again. As the amount of personal data held by organizations continues to grow, hackers are finding more sophisticated ways to gain access to this data and use it to make a profit. Application security is a US$3 billion market and climbing because applications are vulnerable to attack and are one of the top weaknesses hackers look to exploit.
Although there has been some improvement, organizations need to fix bugs much faster. From our State of Software Security Report (SoSS), the research showed more than 70% of all software flaws remained one month after discovery, and nearly 55% remained three months after discovery.
As businesses become more dependent on web apps, not fixing bugs quickly creates a greater attack surface. In addition, developers are using open source components for a majority of their code, gaining speed but increasing risk if vulnerabilities are not accounted for.
Furthermore, with GDPR now in full force the board at BA will have to consider their exposure to regulatory fines, especially when it again took months for the breach to be detected. As with other breaches, it’s likely the financial losses will outstrip what it would have cost to improve security in the first place.
Customers are right to be angry. If organizations want to avoid becoming the next victim of a breach it is crucial that they take significant steps to secure their software quickly to ensure that they are doing the utmost to protect data privacy.