Cyber complacency the unwitting accomplice of hackers
A cyber attack on an Asia-Pacific airline’s data base is an ever-present danger. Read More » The fact that hackers accessed the addresses and personal and credit card details of 380,000 British Airways (BA) customers from late to August to early September this year is proof of that.
British Airways has yet to complete its investigation into the breach and also determine the damage the hackers did to the airline’s reputation. In the meantime, the assault emphasizes the importance airlines must place on preserving the security of all their data.
In February, the Association of Asia-Pacific Airlines (AAPA), in partnership with the Qantas Group and Singapore aviation authorities, conducted the first of four interactive workshops on airline cyber security prevention. The second gathering will be held in Hong Kong next month.
Issues being discussed at the workshops range from risk awareness and strategic planning to strengthening resilience and fostering links in the airline supply and operations chain.
Elsewhere, Europe’s introduction of the General Data Protection Regulation (GDPR) has added a layer of legal complexity to the business of running an international airline as it requires greater transparency about the collection of personal data from European Union citizens.
From May this year, businesses, including airlines, must report cyber attacks or data breaches within 72 hours of becoming aware of them. Failure to do so will attract severe penalties.
Generally, airlines have been reluctant to admit hackers have stolen their passenger data out of fear of losing business. But criminal or mischievous hacking of valuable corporate data bases is no longer an isolated experience.
It is now essential, as far as the EU is concerned, that victims of cyber attacks admit the breaches so damage control systems can be quickly put in place.
It might be naively assumed that Asia-Pacific airlines don’t need to bother about GDPR, but they are wrong. Our airlines may be based far from Europe, but the new rule applies to us too. Europeans fly on every category of carrier in the region and our websites are open to European eyes. Within the region, Singapore, South Korea and Japan are among Asian nations that have data protection rules as does the U.S.
At the 2017 Australian Airports Association conference, Sydney Airport general manager technology, Stuart Rattray, told delegates airlines and airports were “so connected through processes, people and also through IT that if one of us is under attack we can think of ourselves as all being under attack”.
He added that “airlines should not rely solely on their IT departments to manage their cyber security”. He said it was a generally accepted rule that 80% of cyber risk was about people and approximately 20% was about the technology.
The British Airways data breach and the GDPR, while not directly related, highlight with dramatic effect the dangers of digital data theft. They also emphasise the importance of investing in effective cyber defences to defeat the efforts of hackers intent on stealing passenger and operations data from airlines.