Updated on April 19, 2018 by UpGuard
With all the conveniences of modern air travel—mobile check-ins, e-gates, in-flight wifi, and more—it's easy to assume that the world's leading airlines have addressed the inherent cyber risks of digitization. But the safety of in-air passengers is just one aspect of airline customer security; are these companies doing their best to protect customers against online security compromises? Let's take a look at the world's leading airlines to find out.
Air travelers be warned: by the looks of it, 2017 will be a year fraught with grounded flights and prolonged outages. Last Sunday, Delta experienced a crippling outage that caused delays and more than 150 cancelled flights; United also experienced grounded flights due to a computer glitch, just a week prior.
But glitches are one thing, data breaches are another—or are they? Unfortunately, the same glitches that cause devastating outages can often lead to security compromises as well. A recent report by Forbes Insights revealed that unpatched, known vulnerabilities accounted for 44 percent of security breaches. And when it comes to cyber resilience, basic website perimeter security measures are surprisingly neglected by some of the largest air carriers in the industry.
All of the leading airlines in this roundup offer a full range of services via their websites, from online bookings to frequent flyer miles/rewards redemption. Alarmingly, lack of sitewide SSL was a recurring issue—a security gap that can exploited in impersonation/man-in-the-middle (MiTM) attacks.
American Airlines is the world's largest airline by fleet size and revenue, which plants it squarely in the crosshairs of cyber attackers. Back in 2015, the air carrier and its previous subsidiary Sabre were breached by the same perpetrators of the U.S. OPM hack. Various security flaws such as lack of HttpOnly/secure cookies, server information leakage, and missing DNSSEC make its website vulnerable to cyber attacks.
Though Southwest Airlines' computer outage last year was due to a software glitch, not a security compromise, the end result was nonetheless devastating: over 2,000 canceled/delayed flights costing up to $82 million in lost revenue and added expenditures. Like its stateside counterpart, Southwest's resilience posture is marred by several flaws including missing HTTP strict transport security, lack of HttpOnly/secure cookies, server information header, and disabled DNSSEC.
Lufthansa is both Europe and Germany's largest airline (with its subsidiaries) by passengers carried and fleet size—recently, its website and expansive customer database were compromised in a cyber attack.
Unfortunately, critical flaws exist in its website's perimeter security that continue to leave it open to exploitation: lack of sitewide SSL, missing HTTP strict transport security, disabled DMARC/DNSSEC, and more.
Back in 2015, the French flag carrier's website was famously hacked by the Mujahideen in Algeria. Despite these previous run-ins with cyber attackers, Air France still scores an exceedingly low 352 CSTAR score due to a host of security flaws: lack of sitewide SSL, missing HTTP strict transport security, missing HttpOnly/secure cookies, and disabled SPF/DMARC/DNSSEC.
The world's second largest air carrier by volume, United Airlines—like American—finds itself constantly in the crosshairs of cyber attackers. And like American, it was part of the massive security compromise carried out by the OPM data breach cyber attackers. United scores respectable 877 CSTAR rating, despite flaws such as lack of DMARC and missing DNSSEC.
Japan's largest airline scores a low 429 CSTAR rating due to a host of security flaws: lack of sitewide SSL, missing HTTP strict transport security, disabled HttpOnly/secure cookies, and missing DMARC/DNSSEC, among others.
Alaska Airlines recently announced a test rollout of its new biometric check-in capabilities—but is it equipped to handle the security implications of these cyber risks? Its lackluster 675 CSTAR score is a result of a series of flaws: server information leakage, lack of HttpOnly/ secure cookies, and missing DNSSEC, among others.
Low cost British carrier easyJet—along with 16 other companies—recently saw upwards of half a million customer records compromised in an encryption blunder: sensitive information such as payment card details were sent to company servers in unencrypted form. These days, encryption continues to be easyJet's Achilles Heel—its low 482 CSTAR score is a result of lack of sitewide SSL, missing HTTP strict transport security, lack of HttpOnly/secure cookies, disabled DNSSEC, and more.
Headquartered in Taiwan Taoyuan International Airport, China Airlines is the flag carrier of the island nation of Taiwan. Its CSTAR score of 444 is the result of a myriad of critical security flaws: lack of sitewide SSL, server information leakage, missing DMARC/DNSSEC, and more.
Half of the major airlines featured in this comparison exhibited poor overall website perimeter security, with the majority of these underperformers lacking basic security controls like sitewide SSL. Moreover, most of these airlines have recently suffered from a serious data breach or security incident, in many cases involving their public websites.
Wondering if managing your frequent flyer miles online is putting your personal data at risk? Try out UpGuard's free CSTAR risk grader web application and chrome extension for validating the security posture of your favorite airline today.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.