Airlines Alert Customers, Employees of Cybersecurity Incidents

Several North American airlines alerted customers and employees in the past days about various types of cybersecurity incidents, including system breaches, data leaks and credential stuffing attacks.

Virgin America said it detected unauthorized access to information systems containing employee and contractor data on March 13. According to the company, a third-party accessed logins and passwords used for its corporate network.

Cybersecurity forensics experts have been called in to investigate the incident and law enforcement has been notified.

The company said roughly 3,100 employees and contractors had their login credentials compromised, and an additional 110 individuals may have had social security numbers, driver’s license or government issued IDs, addresses, and health-related information stolen.

Canada-based WestJet Airlines told customers on Friday that an unauthorized third party disclosed some WestJet Rewards member profile data. While the leaked data did not contain any payment card or other financial information, the company has notified the Calgary Police Service and the RCMP’s cybercrime unit.

The airline is in the process of notifying affected customers, and it has advised WestJet Rewards members to change their passwords on a regular basis.

Florida-based ultra low cost carrier Spirit Airlines has sent an email to customers to notify them of an incident involving their FREE SPIRIT account.

The company told customers that someone published their information on a third-party website, but pointed out that the data was obtained from a prior breach unrelated to Spirit Airlines.

Spirit’s warning comes after a hacker contacted news websites, including SecurityWeek, claiming to have obtained information on 11.7 million Spirit accounts. The individual claimed to have alerted the airline of a vulnerability in its systems, and decided to put the data up for sale on the dark web after the company ignored him.

The hacker has leaked more than 10,000 records apparently belonging to Spirit customers, including names, Spirit account numbers, passwords, dates of birth, phone numbers, addresses and email addresses. However, he refused to provide the full data set or evidence of how he breached the airline’s systems.

Spirit told SecurityWeek that the hacker actually attempted to extort the company using emails and passwords obtained previously from other sources on the Internet.

Security expert Troy Hunt, the owner of the Have I Been Pwned service, told SecurityWeek that all the email addresses he tested from the leaked data show up in Exploit.in, a list of nearly 600 million email address and password combinations compiled using data stolen from various online systems.

Cybercriminals have used the Exploit.in list for credential stuffing attacks, where attackers automatically inject username/password combinations into a website’s login page in hopes that account owners have used the same credentials on multiple online services.

Related: Hackers Target Malaysia Airlines, Threaten Data Dump

Related: United Airlines Hack Highlights Need for Improved Information Sharing

Related: Hackers Target Polish Airline LOT, Ground 1,400 Passengers