In an Age of Global Terrorism, Hi-Tech Hackings and Malware Attacks, How Can the Airline Industry Improve Its Data Security SOP?

Oct. 10, 2017
With increased issues with cyber security, take control of your data to keep operations safe.

The nexus between air travel security and global terrorism became painfully clear in the tragic aftermath of September 11, 2001. Immediately afterwards, institutional changes in the pre-boarding process, ticketing, security procedures and the self-identification of passengers were implemented. All kinds of deeply personal, highly sensitive data-points were collected, inventoried, cross-referenced and scrutinized, and our air travel SOP was systematically overhauled. The objective, of course, was to protect our citizens from a rapidly-evolving threat-matrix – international terrorism – that represented a clear and present danger to the American homeland. Eight million people fly every single day, and on the heels of 9/11, opting for inaction was unfathomable; something had to be done to prevent future attacks. And today, 15-plus years later, most of us don’t even think twice before divulging the most intimate details of our life to airline staff and TSA screeners. From our social security number to our children’s names to our entire vacation itinerary, we’re fully prepared to reveal everything – all in the name of homeland security.

Ironically, the data that we’re now providing to enhance our security could be “weaponized” by hackers, criminals, fraudsters and even terrorists.

In fact, it’s already happening.

Think of all the personal data we share with the airlines. They know our names, home addresses, passport details, travel histories, emergency contacts, health issues, and all kinds of private, individualized behavioral information. Remarkably, the collection of this data isn’t regulated. There are no industrywide standards for managing and protecting passenger information. Different airlines have vastly different policies; there’s absolutely no semblance of procedural uniformity. Nor are the airlines incentivized to upgrade their data-security protocol: Instead, federal regulators have saddled these for-profit, multinational corporations – including Allegiant, American, Delta, JetBlue, Southwest and United – with the extra burden of collecting and processing millions of different pieces of passenger data, but neglected to grant these businesses tax-breaks or supplemental funding to invest in IT improvements. These regulations are, essentially, an unfunded mandate.

Unsurprisingly, the airlines try to contain the regulatory costs by doing what the law requires — and not much more. And really, how can we blame them? It’s not their fault. As a for-profit business, they’re accountable to shareholders to maximize profitability, and that means minimizing unnecessary expenditures.

If it doesn’t drive revenue, then it doesn’t make economic sense.

This is a glaring vulnerability that must be addressed – now, before it’s too late. Because, make no mistake, the airlines are demonstrably capable of handling sensitive data and seamlessly complying with industrywide rules and regulations. They already do with financial data.

Let me explain:

The airlines are required to comply with the Payment Card Industry Data Security Standard (PCI DSS) guidelines for all credit card transactions. These are a series of very specific rules that safeguard the financial information of passengers, to ensure transactional security. The regulations are explicitly precise, and are carefully heeded by the airlines. (Quite obviously, the airlines have a vested financial interest in protecting passengers’ credit card information. If passengers no longer trusted the airlines to process their credit cards, it would represent an existential threat to the solvency of their industry. Thus, there’s ample oversight, adequate training, and the airlines have invested millions upon millions in the IT infrastructure to keep the data safe.) Here, the system works; our credit card data is secure, and purchasing tickets is considered a low-risk activity. But there’s a big loophole: All the other data that the airlines collect is exempted from PCI DSS regulations.

Most of the security precautions for passengers’ non-financial information are strictly voluntary. For certain data-points, there are no security precautions at all.

In 2004, the federal government mandated PCI DSS compliance for all credit card data because our financial information is so important, it necessitated special protection. But as valuable as it is, it’s no longer our most vital data index. The methodology of cybercriminals has evolved. Hackers are now targeting other forms of personal information, like spending patterns, background info, travel history, family names, places of residency, when we’re away, and so much more, to steal money, commit cyberfraud and syphon funds. Terrorists are also targeting the same information, but for vastly different reasons.

And it’s not being adequately protected.

As a post-9/11 security measure, airlines are now responsible for tracking and collecting an increasingly large number of highly-sensitive data-points. The intent, of course, is to protect passengers via aggressive screenings. But while these new security standards were being adopted, the federal government failed to address one critical question:

What should happen after all this data is mined?

We trust the airlines with the names of our children. If you travel often enough, all kinds of sensitive, personal data can be accumulated – enough to create a damning profile of who you are and what you do. This data needs to be protected, because data is valuable. And it’s not just fraudsters who covet this information: If a terrorist wanted to board a flight under a false name, learning the identities, travel times and data-points of the other passengers could be extraordinarily helpful.

The airlines are susceptible to hackings, and it’s become commonplace for computer glitches to wreak havoc on air travel: A massive IT failure in 2017 forced British Airways to cancel flights out of London, and Southwest, Delta and Lufthansa have recently faced similar breakdowns. As the airline industry has become more reliant on tech, the potential damage that hackers could inflict has exponentially increased.

Tech is simultaneously the solution to – and the source of – so many of our modern problems. An airlines’ IT interface is the point-of-access for customers… as well as cybercriminals. These marauding gangs of hi-tech hoodlums scour the Internet for security gaps and develop new, innovative ways to exploit vulnerabilities.

Perhaps most unsettling, these gaps in cybersecurity are encouraging new IT attacks. Weakness invites fraud attempts. Terrorists, hacktivists and criminals are studying our software, sharing hacking tips on the dark web, and reverse-engineering the internal processes of private businesses to see where they’re most susceptible. These cyberthieves are masterminds at identifying the path of least resistance.

Their favorite fruit is low-hanging fruit.

The airlines are a tempting target for criminals, because there’s a treasure trove of personal, highly-usable information, and our current security precautions are laughably ineffective. For example, you only need two forms of information to authenticate a flight: a passenger’s last name, and his or her six-character Passenger Name Record (PNR), which is supposed to work as a secure password. But we don’t keep it a secret at all. In fact, the PNR is printed on every ticket and on every luggage tag! It’s literally right there – printed numerically or as a barcode – for anyone to see.

If your phone has a barcode app, you can discreetly take a photo of someone’s luggage and instantly learn their PNR number. It’s literally that easy.

All over the world, security gaps in air travel are being detected, tested and exploited. Over a 14-month period at India’s Indira Gandhi International Airport in Delhi, 30 passengers were arrested for using forged e-tickets (and another passenger was arrested for having a falsified PNR). Sadly, this wasn’t an isolated incident: Criminals have long sought to evade the authorities by masking their identities. According to media reports, six of the 19 al-Qaeda terrorists who orchestrated the 9/11 attacks used fraudulent names and fake documents. More recently, the spate of ISIS attacks across Europe were allegedly perpetrated by terrorists who used falsified documents to travel throughout the European Union, and at least one posed as a Syrian refugee.

Coupled with our propensity for oversharing personal information on social media, we’re making it all-too-easy for terrorists to access our private data. Sometimes we even volunteer it: Hundreds of thousands of people have taken pictures of their airline tickets and posted them on Facebook, Twitter and Instagram, to brag about their travel plans. In the tail-end of 2016 – over the space of just a few weeks – two researchers found 75,000 different photos on social media of passengers posting images of their tickets! Anyone who viewed the photos could have attempted wholescale fraud. Their names and PNR numbers were visible to anyone who clicked on the picture.

How absurd is that?

But it’s more than just absurd: It’s also dangerous. In November of 2016, eight men in Mumbai were arrested for illegally accessing an international airport. They had gained access by using falsified PNR numbers. Fortunately, these men weren’t terrorists… but next time, we might not be so lucky. Regardless, what this conclusively demonstrates is that PNR numbers are being exploited by bad actors; it’s not just a theoretical scenario, but the ongoing modus operandi of criminals.

An ISIS-trained extremist could circumvent a terror watchlist, simply by accessing PNR data and flying under someone else’s name. Your run-of-the-mill, everyday criminal might opt to use the data to learn when you’ll be traveling away from home, so your house can be burglarized. And a stalker could wait until someone’s husband or wife is out of town, so the spouse is left all alone.

The airlines need to affirmatively – and voluntarily – develop new industrywide standards for securing data, and there must be additional funding to implement and oversee these new compliance standards. It’s essential to enact a plan as soon as possible: Eventually, these gaps will surely be exploited by terrorists. It’s not a question of if; it’s a question of when. After a terror attack, the cost in blood and treasure will be so great, government bureaucrats will mandate immediate standardization. When this happens, the legislation will be written by congressman and senators who might not understand the nuances of air travel as well as those who work within the industry. It’s always preferable to make these decisions freely and deliberately, instead of having the regulations forced upon you by DC politicians. Wholesale institutional changes take time; for business reasons and moral reasons, the major airlines must immediately seal these security-gaps on their own. (And besides, by standardizing the policy, it might even improve internal efficiencies, which could save the airlines money.)

Again, let me be clear: It’s not the airlines’ fault. Terrorism is an international problem that affects all of us. In many ways, the airlines have been asked to absorb a disproportionate burden of the total cost, and that’s not fair. But the bottom line is, because the airlines are being specifically targeted by terrorists, the airlines must also be specifically protected, and that includes protecting our data.

There are also important lessons for non-airline-related businesses, too:

For far too long, the airlines have been the “canary in the coalmine” for security threats, and the attacks on airlines have foreshadowed attempts on other industries. Chargebacks911 offers the following five tips to consumers and businesses concerned about data breaches:

1. Keep all aspects of your customers’ data secure, not just his or her financial information. There is no “unimportant” data.
2. Don’t share your customers’ data with outside vendors.
3. As a general rule, if a vendor isn’t PCI-compliant, avoid doing business with him or her. It’s not worth it.
4. Be ultra-vigilant about training your staff how to manage sensitive information. Develop an internal SOP for handling data.
5. “Data is king” has replaced “Cash is king” – because cash might come and go, but today, data has longevity. In many ways, it’s your company’s single most valuable commodity. Treat it as such.

And remember that sometimes, data isn’t just valuable, but a matter of life and death.

Monica Eaton-Cardone is the owner, cofounder and Chief Operating Officer of Chargebacks911, a cybersecurity company that helps businesses, e-stores and online merchants maximize revenue and minimize loss in a variety of industries and sectors within the payments space.  Founded in 2011, Chargebacks911 has grown to over 400 employees worldwide, with offices throughout North America, Europe and Asia.  Chargebacks911 manages over 2.4 billion online transactions each year, helping clients in 87 different countries increase sales and decrease fraud.

About the Author

Monica Eaton-Cardone | Chief Operating Officer