Air India among several airlines affected by SITA cyber attack
On March 19, Air India advised its passengers of a “sophisticated cyber attack” on its Passenger Service System provider “SITA” 3-4 weeks earlier. Further news from the carrier had been scant until the recent disclosure that some 4.5–million Air India passengers may have been affected by the breach, making them the largest victims of the incident at SITA in February.
In their most recent advisory, Air India revealed that bookings made between August 26, 2011 and February 3, 2021 – a period of nearly ten years – had been involved in the breach, resulting in the disclosure of personal passenger data including “name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data”. On this last point, the press release advised that the CVV/CVC numbers associated with the disclosed credit cards were not stored by their payment processor, and therefore could not have been stolen.
Customers around the globe may be affected by this breach: before the COVID-19 pandemic, Air India flew to over 100 destinations domestically and internationally, operating in over 30 countries across five continents.
Dr. Edna Ayme-Yahil, SITA’s VP, Global Head of Communications, Brand and Sustainability, provided additional details on the breach in a statement on May 21: “SITA confirms that its passenger processing services were the victim of a highly sophisticated – but limited – cyber attack that affected passenger personal data stored on servers in SITA PSS’s data centre in Atlanta, Georgia… Our investigations indicate that the total period during which the cyber attacker(s) were able to access some of our systems was 22 days.”
Passengers with other global air carriers such as Air New Zealand, Cathay Pacific, Finnair, Jeju Air, Lufthansa, Malaysia Airlines, SAS and Singapore Airlines, were also affected by the breach, and have notified their customers.
SITA (Société Internationale de Télécommunications Aéronautiques) is an IT and telecommunications provider for the global airline industry, providing services to around 400 members airlines (about 90% of the world’s airline business).
Canadian student health insurance company suffers cyber attack
On May 12, IT staff at Canadian student health insurance carrier guard.me identified suspicious activity on their systems, prompting them to take their website offline as a precaution. The site outage is now approaching its third week.
As of May 25, the site remained down, with a maintenance message advising: “Recent suspicious activity was directed at the guard.me website and in an abundance of caution we immediately took down the site. Our IS and IT teams are reviewing measures to ensure the site has enhanced security in order to return the site to full service as quickly as possible.”
According to a report in Bleeping Computer, the incident on May 12 was a cyber attack that allowed hackers to gain access to students’ dates of birth, genders, and encrypted passwords. For some students, email addresses, mailing addresses, and phone numbers were also exposed in the incident. IT staff at guard.me reportedly believe that they have fixed the vulnerability, and they are instituting new policies for increased security, including database segmentation and two-factor authentication. But while their testing of the additional safeguards continues, their website remains out of service.
No details have been released regarding the nature of the attack, or if any ransom was involved in the incident.
Update on the cyber attack on the Irish health system
The cyber attack on Ireland’s Health Service Executive (HSE) is well into its second week. The Conti hacker group has been identified as the threat actor behind the coordinated attacks. As the HSE continues to refuse to pay the ransom demands – believed to be $20-million US – Dublin’s High Court has issued an injunction against Conti – under “persons unknown” in a likely futile effort to stop the disclosure of the data stolen in the May 10 attack. The injunction, posted on a dark web site thought to be used by Conti, orders the hackers to cease sharing the stolen data, giving them 42 days to identify themselves and appear for legal proceedings.
Meanwhile, as a show of good faith, the Conti group operators have reportedly offered the HSE a decryption tool, without requiring payment. The tool is being examined and tested, as there is no guarantee of its efficacy, or its performance in decrypting systems even if it does work. Conti is still threatening to disclose or sell the estimated 700GB of data exfiltrated from HSE in the initial attack. The deadline of May 24, however, came and went without evidence of a data disclosure. According to a report in the Irish Times, officials still believe disclosure is likely, and are continuing their monitoring of the dark web for signs while work continues to restore and rebuild affected systems.
In a separate report, the Irish Times revealed the troubling news that the HSE was aware of its security weaknesses, and was attempting to remediate them when the attack occurred. As early as 2018, internal IT teams identified multiple areas of improvement, including those relating to security controls and disaster recovery protocols. With eerie accuracy, the HSE’s corporate risk register reportedly describes the current crisis situation, foreseeing that a successful cyber attack would have a direct impact on “patient care and safety and staff as a result of the inability to deliver ICT and specialised medical device dependent services”.
Audio equipment manufacturer Bose reveals ransomware attack
American audio equipment manufacturer Bose Corporation has revealed that it was the victim of a ransomware attack on March 7, 2021.
On May 19, Bose’s law firm of Zwillgen, filed a breach notification letter with the Consumer Protection Bureau in New Hampshire. Bose explained that they “experienced a sophisticated cyber-incident that resulted in the deployment of malware/ransomware across Bose’s environment”. The state Attorney General was notified because Bose’s investigation revealed that the data of employees residing in New Hampshire – including names, Social Security numbers, and compensation-related information – may have been disclosed to the hackers.
“The forensics evidence at our disposal demonstrates that the threat actor interacted with a limited set of folders within these files,” the notification stated, though it advised that Bose could not confirm whether the files had been stolen. No evidence of the data has been found on the dark web.
The form letter attached to the breach notification offered no insight as to the full scope of the breach or potential data disclosure, though it catalogued a host of internal security enhancement and procedural improvements undertaken by Bose as a result of the incident.