What the United Hack Tells Us About Cyber Threats in the Travel Industry
When it comes to cyber security, the US travel industry hasn’t had a great summer – in the last few months alone, we’ve learned of three successful hacking attempts against major airlines and their partners.
First of all, United Airlines – the world’s second-biggest airline – was breached in either May or early June, according to the anonymous sources who brought the story to Bloomberg the following month. A subsequent forensic investigation pinned the attack on the same China-backed hackers believed to have stolen millions of records from the US Office of Personnel Management (OPM) and health insurer Anthem.
Barely a week later, it was reported that American Airlines – the world’s biggest airline – had been the target of a similar intrusion, again the work of state-sponsored actors in China. And it emerged that Sabre, a travel and hotel booking company, had suffered the same type of cyberattack.
Why is China collecting masses of data from these organizations? As I said in my previous blog, their motive may be to create an extensive database of US officials’ personal information and movements to identify US intelligence officers and their human assets in China and around the world. However, security researchers have pointed out that an adversary could just as easily have altered or deleted data to disrupt their operations and cause chaos for the millions of passengers they transport annually.
In a world where terrorists, nation-states, and sophisticated criminals are all interested in using cyber weapons to achieve their financial and strategic objectives, this isn’t the kind of data breach we can just shrug our shoulders about.
But what else do the United and American Airlines hacks tell us about cyber threats in the travel industry?
Airlines, Too, Need to Act to Improve Security
To date, only a small amount of intelligence has surfaced on the United and American Airlines hacks. We don’t know what data was targeted, how much of it was stolen, or how the hackers got into their networks in the first place. It’s safe to assume, however, that both companies could have done more to protect themselves against attacks.
This is evident from a number of insider reports. Perhaps the least shocking observation overall is that United’s hackers were apparently inside the airline’s network undetected for more than a year, with the earliest evidence of the attack dating back to April 2014. We have seen from various reports and surveys that sophisticated adversaries are breaching networks and remaining undetected for months on average.
Moreover, a source said one of the “chief tasks” of the forensic investigation has been to identify any remaining backdoors into the network – something that suggests United is still far from establishing where its vulnerabilities lie and where security needs to be improved.
The China-backed hackers understood to have carried out the three attacks have an impressive track record – 80 million records were stolen in the Anthem data breach, while 20 million were seized from the OPM. According to some experts, however, they’re not actually all that sophisticated. Speaking to Bloomberg after the American hack, Brendan Conlon – a former NSA deputy chief for integrated cyber operations – said it would have taken “five or six people tops” to pull off one of these attacks.
The travel industry – much like other organizations that have experienced cyberattacks need to accept that the threat landscape is changing quickly. Hackers have progressed from individuals looking to steal information for personal gain to Nation-states looking to steal government secrets and corporate data and intellectual property.
Everyone should be looking at their security practices and systems to ensure that that are able to keep pace with the evolving threats that exist today. Network defenders must assume that they will get breached and take steps to better manage privileged user accounts, limit third-party access, and harden their most sensitive assets to reduce the impact and footprint of a breach to limit threats to their business, reputation and, in the case of the airlines, their passengers’ well-being.