Iberia, the Spanish airline, is exposing some of the growing cyber and data exposure risks affecting the airline industry. Last week, Iberia began an industry-wide notification of the external data breach affecting Iberia’s airline booking customers. Per Iberia’s notification, customer data is confirmed compromised.
What did the airline breach expose?
Iberia’s notification states no unauthorized access to payment information, passports, or travel passports was exposed. Affected data includes passenger (flyer) names, contact information, and Iberia gold and silver customer frequent flyer membership numbers.
While Iberia has confirmed that an external service contractor has sustained an unauthorized access incident affecting Iberia’s customer service operations, Iberia’s data breach is primarily an operational issue. Cybersecurity has become an industry-wide and operational issue. Iberia is now responsible for massive brand reputation risk and potential litigation for unauthorized access to external data breach incidents.
Iberia has not disclosed how many customers were affected, but Iberia warned all customers who were impacted to be wary of any potential phishing scams or identity theft and fraud. Iberia has also set up customer support lines to help customers, and is collaborating with experts in the field of cybersecurity to mitigate the damage caused by the hack.
Digital ecosystems and the effect they have on the airline industry
Digital ecosystems require interconnected external systems. Vendors in the digital ticketing and loyalty program are but the beginning. The airline industry and its players and cyber criminals are digital ecosystem competitors.
Digital transformation also significantly increases the risks in the industry. The aviation industry also increasingly relies upon large and complex digital systems. The use of cloud systems, customer and industry facing apps, automation and other systems increases the systems attack surface.
The more advanced the automation and the use of other systems, the greater the number of attacks.
Cybersecurity becomes more important. Modern attacks are happening more often. With advancing automation, there have also been increased distributed attacks. Cybersecurity is more important.
Compliance and protection laws for effected customers
Iberia must inform customers affected and authorities due to European data protection laws, something the airline has stated as being fully GDPR compliant, while also committing to full openness in the compliance process.
Iberia Airlines,
“Spanish flag carrier Iberia is notifying customers that their personal information was compromised after one of its suppliers was hacked.”
Nevertheless, this event leads to much more profound considerations about how organizations deal with security compliance in their business ecosystem.
Cybersecurity experts say there should be some difference from the traditional approach taken to evaluating vendor risk. Continuous evaluation, contractual commitments to security, and collaboration in incident management are required to address the risk pertaining to vendors in the suppliers’ ecosystem.
There are discussions in the aviation community about the need to improve security
There is a call for airlines to implement a zero-trust architecture and to engage in extensive system security audits, as well as to acquire systems for the early detection of security threats. It will be necessary to involve air carriers, authorities, and system developers to strengthen protection against further attacks.
For customers, the message is simple: Stay vigilant by keeping an eye on your accounts for unusual activity. Stay away from unsolicited links and turn on two-step verification processes when available.
The Iberia breach is an Industry-wide collapse of global digitally-connected trust. As airlines further digitize internal processes and externalize core functions, cybersecurity is no longer just an airline problem; it’s a supply chain problem. Without an integrated approach to cyber risk management, airlines will experience a greater frequency of cyber attacks and face a greater erosion of trust and severe reputational consequences.
Disclaimer: Our coverage of events affecting companies is purely informative and descriptive. Under no circumstances does it seek to promote an opinion or create a trend, nor can it be taken as investment advice or a recommendation of any kind.
