According to a statement issued by the Turkish Personal Data Protection Authority, Turkish airline Pegasus Airlines suffered a data breach of a very serious nature because its AWS cloud storage bucket was lack of data protection.
A large amount of Pegasus avionics flight bag (EFB) software source code, flight data, and crew personal information was reportedly stored in publicly exposed buckets, allowing unauthorized access to sensitive information. Turkey’s data protection agency confirmed the breach after receiving a data breach notification from the company.
Leaking Bucket
The vulnerability that allowed unauthorized access was discovered on March 21 and resolved on March 24, according to the regulator.
A statement from the Turkish Personal Data Protection Authority confirmed that some information on Pegasus Airlines had been accessed without authorization. The leaked information included names, surnames, phone numbers, email addresses, job titles, flight information from past trips, flight locations, and photos and signature images of some employees.
But the problem may be much more serious than the official disclosure. Nearly 23 million files, totaling about 6.5 terabytes of data, were found in the bucket, with more than 3.2 million files containing sensitive flight data, according to security officers investigating the breach.
Investigators wrote in a blog post: “Information from the leaked storage bucket is linked to EFB software developed by Pegasus EFB, which pilots use for aircraft navigation, takeoff/landing, refueling, safety procedures and various other flight.”
“PegasusEFB’s open bucket allows anyone to access data including flight charts, navigation material and crew PII.”
“The bucket also exposed the source code of the EFB software, which contained plain text passwords and keys that someone could use to tamper with very sensitive files.”
Millions People Face Catastrophic Threats
Millions of people could face a potentially catastrophic threat if someone read or downloaded the bucket’s files. “This exposure could affect the safety of every Pegasus passenger and crew member around the world. Affiliated airlines using PegasusEFB may also be affected,” the researchers said.
SafetyDetectives, which investigated the incident, said criminals and even terrorists could use passwords and keys in Pegasus EFB buckets to tamper with sensitive flight data and particularly sensitive files. While there is no certainty that pilots will use the bucket’s files on upcoming flights, changing the contents of the files could prevent important EFB information from reaching airline personnel and put passengers and crew at risk.
Criminals can also identify aircraft crews by pictures, signatures and crew shifts and force them to smuggle goods, weapons or drugs across borders. Additionally, attackers can use security guidelines to identify weak points in airport or aircraft security.
To strengthen cybersecurity, it’s important to remember that backups of critical data provide organizations with a lifeline. A comprehensive DR (disaster recovery) strategy is also essential. Doing data protection is not only protecting the interests of the company itself, but also protecting the interests of customers. To do data protection, we must first do a good job of data backup. Nowadays, there are many new options for backing up enterprise data, such as virtual machine backups, including VMware Backup, Xenserver Backup, Hyper-V backup and so on. Enterprises can find the most suitable way to do backup among all the kinds of backups.
For more valuable information visit this website.
