Challenges With Passenger Data Breach
The airlines reservation system holds all the passengers’ information including the date of birth, address, and form of payment (International Civil Aviation Organization, 2012). Travelers who become potential passengers on airlines make their bookings via a multitude of websites or by calling the airlines’ reservation center. Developing and implementing security policies and guidelines can prevent data breaches caused by cyber-attacks or accidents caused by employee misuse of systems. Data breaches experienced by Amtrak, Cunard Cruise Lines, US Airways, United Airlines, and American Airlines are a few examples of recent cyber-attacks where attackers had access to breached personal consumer data.
Amtrak
A passenger data breach caused by employee misuse of access brings into lightthe question of whether internal control exists to prevent this type of data breach. In 2014, Amtrak’s investigation concluded that a secretary sold passenger information to the UnitedStates Drug Enforcement Agency (DEA) starting in 1995. The DEA paid the secretary a total of $854,460 during that period. The data given to the DEA included each traveler’s names, credit card number, passport numbers, and date of birth (Office of Inspector General, 2014).
Cunard Cruise Lines
In 2012, Dori Saltzman, a news editor and journalist in the travel industry, reported that an employee at Cunard Cruise Lines sent an email with an attachment that
included 1,225 passengers’ booking reference numbers, names, and email addresses (2012). Cunard confirmed this was unintentional and issued new book reference numbers to all travelersexposed to the breach. The email submitted contained the heading “Emergency Notification Urgent” which indicated that due to problems, Cunard would send new booking referencing numbers via email in the next 48 hours (Saltzman 2012).
US Airways
Kelly Jackson Higgins, executive director and a technology and businessjournalist published, “Thousands of US Airways Pilots Victims of Possible Insider Data Breach,” here she reported that in October 2009, a group named Leonidas leaked 3,000 US Airways pilots’ personal information. The leaked data included names, addresses, Social Security number, and passport information (Higgins, 2011). The US Airline Pilots Association (USAPA), who represents 5,200 US Airways pilots, has worked with the FBI on the breach. USAPA believed a labor dispute between what was once American West pilots, and current US Airways pilots, appear to be the reason for the data leak (Higgins, 2011). The USAPA provided all pilots 12 months of LifeLock’s identity theft program.
United Airlines and American Airlines
Melanie Watson, an Internet marketing
executive and contributor for IT Governance, and cybersecurity author, reported that United Airlines and American Airlines both experienced a data breach when they each discovered the theft of frequent flyer miles from passenger accounts by a third party vendor. Approximately 10,000 frequent flyer accounts were hacked and trips with the stolen miles booked (Watson, 2015). The two incidents, which occurred on separate occasions, should cause concern as hackers compromised passenger information.
United Airlines
United Airlines found a data breach after launching an internal probe. The internal probe began after a hacker group breached government data that included government employee information and insurance holders. United Airlines detected the attack on their system in May or June of 2015. The attackers breached data containing passengermovement throughout United Airlines routes. United Airlines reported no relationship to the June and July 2015 hack related to the network outages that grounded their entire fleet (RT, 2015). Not only do airlines need to ensure their networks are safe, but also the third party vendor systems as well. Passenger data breach allows hackers to enter into the airline’s website reservation system and book travel reservations with the compromised passenger data. Exposure to an attack due to the third party vendor’s poor security practices creates brand damage, additional work in creating accounts and restoring miles, and the possibility of financial losses (Watson, 2015).