Canada’s national airline has admitted suffering what is says was a “brief” breach of security controls, although the statement from Air Canada doesn’t say when the incident happened or how much personal information the attacker accessed.
“An unauthorized group briefly obtained limited access to an internal Air Canada system related to limited personal information of some employees and certain records,” the airline said Wednesday.
“We can confirm that our flight operations systems and customer-facing systems were not affected. No customer information was accessed. We have contacted parties whose information has been involved as appropriate, as well as the relevant authorities.
“We can also confirm all our systems are fully operational. We have since implemented further enhancements to our security measures, including with the help of leading global cyber security experts, to prevent such incidents in the future as part of our ongoing commitment to maintaining the security of the data we hold.”
It isn’t known if the airline was targeted, the threat actor took advantage of a known application vulnerability or leveraged a stolen credential.
One good sign the short statement from the airlines suggests is that it was able to identify that there had been a breach of security controls and was quick to eject the intruder.
KonBriefing.com, which tracks cyber attacks, noted in February that the air transport industry is increasingly targeted by cyber attackers. These include denial of service attacks on the websites of airports of Western countries believed to have been committed by pro-Russian groups after the Russian invasion of Ukraine. For example last year 10 U.S. airports were hit by DDoS attacks on October 10th.
One Canadian airline hit last year was charter operator Sunwing, following a cyberattack on the airlines’ check-in service supplier, Airline Choice. Air cargo supplier Swissport was hit by a ransomware attack, as was a Montreal military contractor that makes cockpit systems integration, avionics, display solutions, and high-performance microelectronics for military and commercial aircraft.
David Shipley, CEO of New Brunswick’s Beauceron Security and a regular guest commentator on ITWC’s Cyber Security Today podcast, hoped Air Canada can share more about this hack soon. “There could be lots of valuable lessons for other organizations and I’d love to see us move away from victims feeling like they can’t be more open about incidents for fear of being blamed,” he said in an email.
“Based on the statement, it looks like they had a decent response plan and good containment of the incident. Any organization can get hacked, period. It’s how we respond and how we can help each other learn collectively that’s most important.”
