At a glance.
- Two US airlines hit with third-party data breach.
- Grafana releases update to resolve critical bug.
- Tips for responding to a data breach.
Third-party breach affects airlines.
US-based air travel giants American Airlines and Southwest Airlines have disclosed they were impacted in the data breach of third-party vendor Pilot Credentials. CSO Online recounts that in May Pilot Credentials, a pilot recruitment firm popular with many major air travel providers, informed the airlines its systems had been hacked the month before and that an intruder stole documents containing pilot application data. Southwest reported that a total of 3,009 applicants were impacted, while American Airlines says the “name and Social Security number, driver’s license number, passport number, date of birth, Airman Certificate number, and other government-issued identification number(s)," of 5,745 individuals were exposed.
Both airlines sent out notification letters to affected individuals on June 23, and they reportedly ceased their partnerships with Pilot Credentials, instead using internal systems to process applications. The Register notes that neither airline’s systems have been compromised, and both say there’s no evidence any of the breached data has been used in any scams (yet). Bleeping Computer adds that this is not American Airlines’ first cyber incident in recent years, as in September 2022 the airline suffered a data breach that impacted over 1,708 customers and employees, and in July 2022 a cyberattacker compromised employee email email accounts.
Darren Williams, CEO and Founder of BlackFog put the breach in the context of travel brands' exposure. "Major travel brands continue to fall victim to data exfiltration, leading to inevitable extortion by cyber gangs. This comes on the back of last year’s attacks on Uber, InterContinental Hotels and Marriott International. What is particularly noteworthy about this attack is the extent of the breach, and the targeting of third-party suppliers to obtain the data. The downstream access to data is a constant theme that has even affected US Customs and Border Protection. With 89% of all ransomwares now exfiltrating data, its important organizations are looking at next generation cybersecurity tools to protect their most valuable asset: their data.”
Erich Kron, security awareness advocate at KnowBe4, described the inherent risk of giving third parties access to sensitive data:
“This breach illustrates the dangers of providing sensitive information to third parties. Unfortunately supply chains have been increasingly targeted, causing users of their services a considerable amount of grief. In many cases it is more economically feasible to enlist vendors to handle services such as managing resumes, job requests, and many other functions. A problem with that is the inherently sensitive nature of the information being handled by the third party when using a third-party for these services. As in this case, when things do go wrong, it often reflects more poorly on the organizations that use the service than it does on the service provider.
"When an organization is going to use a third-party service to process or gather information, especially anything of a sensitive nature, special care needs to be taken with respect to security and should be part of the contract with the vendor. How the data is handled, who has access, how it's secured, and how long it’s retained are some of the key concerns that should be handled within the contracts. The security of any third parties who are handling your sensitive information should be vetted to ensure that their security standards meet or exceed those of the organization that is hiring them.”
Roy Akerman, Co-Founder & CEO of Rezonate, seconded the importance of managing third-party exposure. “Third party access and supply chain risks continue to be the leading reasons for recent security breaches. Whether critical information is managed by a third-party application, or a vendor has direct access to one’s infrastructure, additional security risk is introduced and therefore must be monitored and controlled. While organizations are realizing more and more that third party risk is their risk, more work is required to enable this awareness across people, technology and processes.”
Nick Tausek, Lead Security Automation Architect at Swimlane, presented some approaches to mitigating this kind of risk:
"Data breaches are becoming more frequent and more costly, but they don’t have to be. To significantly reduce the risk of data breaches, airlines must collaborate closely with third-party vendors to prioritize the implementation of robust security measures. This includes practices such as multifactor authentication and regular password updates, and evaluating whether or not their current security strategy is leaving room for delays in threat detection and incident response.
"The reality is that manual security processes are often time-consuming and prone to errors, leaving organizations vulnerable to attacks. Security automation tools, especially those of the low-code variety, can accelerate security teams’ capabilities to keep pace with the evolving threat landscape."
Sally Vincent, Senior Threat Research Engineer at LogRhythm, also had some suggestions for managing third-party risk:
"In addition to the challenges of managing and detecting threats within an enterprise's IT infrastructure, assessing third-party risk is also a critical aspect. For airlines, it is essential to have strong communication and notification tools, as well as a deep understanding of how to effectively configure their complex IT environment. This allows them to gain a comprehensive view of anomalous and malicious activities across all fronts, enabling a prompt and thorough response. By implementing a well-configured security monitoring solution that provides complete visibility, including for third-party vendors, it would have been more likely to detect indicators of compromise and mitigate the threat in a timely manner."
Darren James, senior product manager at Specops Software, also views the incident as wake-up call about vendor risk. And it's not only risk from vendors, but a risk to vendors. “This breach is an important reminder of the importance of security in your third-party vendors. Post-breach, both American and Southwest have now broken ties with the hacked recruiting vendor in favor of using internal systems," James wrote. "So this breach has not only lost personal data of thousands of pilots, but also cost the vendor two large customers, and therefore business as well as reputational loss for all concerned. It is more important than ever to properly evaluate your supply chain vendors, even outside of IT, making sure they comply with the same (if not stricter) cyber security policies than your own and follow regulatory requirements—particularly if they are going to be handling sensitive data on your behalf.”
Grafana releases update to resolve critical bug.
Grafana, a popular open-source analytics and interactive visualization app used by household names like Wikimedia, PayPal, and JP Morgan Chase, has issued patches for a recently discovered critical vulnerability with a 9.4 severity score. Bleeping Computer explains that the bug allows an attacker to bypass authentication and hijack any account that employs Azure Active Directory for authentication. An advisory from Grafana reads, "If exploited, the attacker can gain complete control of a user's account, including access to private customer data and sensitive information." The advisory lists the recommended versions to upgrade, as well as mitigations for those who are unable to update their Grafana instances.
Tips for responding to a data breach.
While the ideal case scenario is to avoid a data breach, this isn’t always possible. Dark Reading offers recommendations for CISOs on how to react when the worst happens. Knowledge of state incident reporting rules is essential, as timely reporting can help the impacted organization receive adequate support and avoid unwanted penalties. When it comes to disclosing a breach, it’s not only a question of when to report, but also what information to share and with whom. When informing stakeholders of a cyber incident, it’s important to fully relate the scope and nature of the breach, as well as investigation efforts and remediation endeavors. Transparency can go a long way in easing frustration and confusion. And of course, in addition to privately notifying stakeholders, a public statement can show that the organization takes full responsibility for the incident and earn trust.