A “data security event” is how Cathay Pacific’s boss, Rupert Hogg, characterises what is likely to prove the most damaging cyber attack ever to hit an airline.
The theft of highly sensitive information on 9.4 million people makes BA’s experience last month – in which 380,000 passengers had financial details stolen – look like a data security non-event.
Whoever hacked the Hong Kong-based airline has obtained an extremely rich seam of identity details: name, date of birth, phone number, email, address, passport number and historical travel information.
We can safely assume that scam emails are already going out asking people to click on a dodgy link or send more personal information to fraudsters.
But the scale and depth of the Cathay Pacific data breach will erode travellers’ confidence in airlines’ cyber security.
Mr Hogg said: “We want to reassure our passengers that we took and continue to take measures to enhance our IT security.”
And his airline’s statement made clear: “The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety.”
But a nervous passenger would be forgiven for pointing out that Cathay Pacific’s IT team looks after both passenger data and the carrier’s extremely sensitive flight-information systems. And anxious travellers can seize on plenty of other examples of aviation’s vulnerability to malice.
The very first world wide web was established almost 70 years ago: the Société Internationale de Télécommunications Aéronautiques (SITA) connected the communications networks of 11 airlines, and facilitated the dramatic post-war expansion of aviation.
Airlines and airports, like banks, run on an unenviable tangle of legacy computer systems that have had to be meshed with 21st century technology and connectivity.
The British Airways meltdown over the late May bank holiday in 2017 was accidental; when an uninterruptible power supply was interrupted and then restarted, parts of the airline’s data hub were fried.
Similarly, Gatwick’s departures screens went blank in August 2018 for the comfortingly analogue reason of someone inadvertently slicing through a cable.
More sinister is the data breach that put Bristol Airport’s flight information system out of use for two days last month – and the extraordinary cyber attack on Hanoi Airport in 2016, in which Chinese hackers replaced flight departure information with anti-Vietnam messages, and even briefly took over the public-address system.
For the millions of Cathay Pacific passengers affected by the latest data breach, like the British Airways customers whose credit card details were stolen, the coming days and weeks will be stressful as they wait to find out how the cyber criminals might abuse their data.
But a deeper concern for aviation security is that the success of what appears to be straightforward financial fraud may encourage terrorists groups to try their luck. The airline industry must move fast to reassure the travelling public that flights are properly protected.
