The CyberWire staff | Thecyberwire.com »
The news of Air India’s third-party exposure or passenger data has prompted industry comment. Saryu Nayyar, CEO of Gurucul, noted that you may well be affected by a security problem at an organization you’ve never heard of:
“Once again, cybercriminals are flying off with millions of personally identifiable data of airline passengers, just in time for summer travel. The data stolen can be used in social engineering scams to steal even more from these victims. The breach of third party IT Supplier to Air India, SITA, is to blame for this incident and numerous other breaches as SITA services 90% of the world’s airlines. I liken this to the Takata air bag recall in that most car manufacturers rely on Takata for their air bags. And most airlines rely on SITA for airport, border and aircraft operations. It’s overwhelming to realize a single supplier can take down an entire industry… no one ever heard of SITA or Takata before these incidents. And now we’ll never forget them.”
Rajiv Pimplaskar, CRO at Veridium, sees the incident as another reason to be leery of how we use passwords.
“While the exact cause of the SITA data breach is not yet known, it is clear that loyalty accounts, such as frequent flier or hotel rewards programs are prime targets or ‘honeypots’ for credential theft since they contain rich Personally Identifiable Information (PII). Further, loyalty accounts have less stringent rules around password resets or reuse as compared to financial services accounts employing multi factor authentication (MFA) methods thereby making it easier for credential harvesting and lateral movement.
“Verizon’s Data Breach Investigations Report (DBIR) indicates that over 80% of data breaches use compromised credentials. Airlines and the hospitality industry need to accelerate their adoption of passwordless technologies such as ‘phone as a token’ or FIDO2 security keys that eliminate this dependence on credentials. Passwordless authentication can reduce the attack surface of such breaches as well as limit the resulting data exposure. Finally, such authenticators have less friction and can be adopted by both employees and customers improving user experience and productivity.”
External Link: Third-party risk and airline passenger data