Data security turbulence at airline cos: How to land softly

Air India’s Passenger Service System (PSS) was recently breached exposing data of over 4.5 million users. “Air India would like to inform its valued customers that its Passenger Service System provider SITA has informed about a sophisticated cyber attack it was subjected to in the last week of February 2021,” says a press statement by Air India. The Indian aviation company comes under the national critical infrastructure and thus the data breach holds major ramifications. However, while the level and scope of sophistication is being ascertained through forensic analysis and the exercise is ongoing, the service provider has confirmed that post incident, no unauthorized activity inside the PSS infrastructure has been detected.

Many airline companies in India have faced data and Information Systems breach in the recent past. Spicejet, in January 2020, reported, that the data of its 1.2 million passengers was exposed. A year later, Indigo reported a server compromise in January 2021. And Now, it’s Air India, in February 2021.

Ravinder Pal Singh, VC Partner, Kalaari Capital and former CIO, Vistara Airlines in one of his recent Linkedin posts discussed, “Most CIOs & CISOs in aviation lack technology leadership and don’t have hands-on understanding of its complexity. They are solely driven by cost pressures of CFO. The mantra is to always agree with the CEO and depend on incomplete and siloed wisdom of outsourcing partners,”

He goes on to say, “DNA of aviation systems is complex for e.g. aviation avionics software may have 100 million – a billion lines of code,”

So where does the solution lie, Singh opines, if airlines have to wrest back market power and to reshape their focus, this is the right time as cost of compute is getting cheaper while computing power to assimilate vast amounts of data into something meaningful is commoditized and thus affordable. This should transform the way airports and airlines think and work, from operational analytics to leveraging data to generate better commercial returns. Moreover airlines should also invest in getting skilled talent.

Ramsunder Papineni, President, Global Sales, Vehere stresses on the importance of upskilling of the existing talent. “There are three areas of improvement – people, process and technology. In the technologies space, look for the latest upgrades available and launched in the market; always evaluating the process improvement scope in order to reduce chances of a breach; Like technologies, the employees will also have to be upgraded and upskilled for the latest cyber threat scenarios. This has to be done on an yearly basis,”

Most of the attacks are culminating on the endpoint or the network layer and thus continuous traffic monitoring is essential. A proactive network forensics is also important. Breaches are inevitable but if backed with network forensics capabilities, organisations can proactively defend against future attacks.

Sonit Jain, CEO of GajShield Infotech suggests the following steps for securing airlines’ information systems :

– Do regular audit and assessment of third parties systems handling your data. You need to be diligent with third parties as you are with your own enterprise. Any weakness in this link, will only weaken your enterprise security.

– While outsourcing does provide value in reducing cost, you should not be locked into a single vendor. Plan your exit strategies and build redundancy in your operations. At times, heavy dependency, often leads to neglecting security as you may not want to disturb an existing running setup.