Open Databases Crash: Air Travel Security

The Alert of the Month for June 2022 is an exposed database originating from a flight comparison website. This alert is a classic example of the risks coming from exposed databases. Without External Attack Surface Management our clients would have found themselves an unwitting party to data leaks, smishing, fraud, and GDPR fines. 

On June 24th at 8:25 A.M. the CybelAngel platform identified an unsecured MongoDB belonging to a flight comparison website. The unsecured database contained six separate tables mentioning our client’s keywords. This suggested that the database belonged to a third party, either a customer or partner of our client. To better understand what risks were facing our client CybelAngel analyst, Thibaut Eychene was assigned to investigate the alert. 

Unsecured databases are not ideal

“Unsecured databases are a common alert that we see often, but the real question when looking at an unsecured database is what is inside it,” Thibaut explained. CybelAngel whitepaper, “When it Leaks, Hackers Breach”  bears out our analyst’s experience we find that misconfigured databases and servers were the leading cause of leaked records.

According to IBM, unsecured and open databases are responsible for 86% of all publicly accessible sensitive records. “While examining the database, I could confirm that the offending database was not owned by our client but belonged to a third party of theirs. The next big question was “what kind of data is inside?” After a short investigation, I found 60 Passenger Name Records (PNRs) with data like name, age, origin and destination information, flight numbers, security tokens, and contact information. If I were an attacker, this database would be a win, so it must be shut down,” Thibaut explains.

An example PNR from Edward Hasbrouck, The Practical Nomad.

GDPR risks

When asked about the risks, Thibaut highlights the GDPR compliance issues first, “GDPR is a serious law and whether or not these passengers are not European citizens, doing business in the EU means playing by the GDPR rules. That means this relatively small exposure could mean millions in dollars of liability risk.”  Again experience proves CybelAngel analysts right, in 2019 British Airways had over 500,000 customers’ personal data compromised leading to a lengthy legal battle resulting in a 20 million pound fine from the U.K. Information Commissioner’s Office (ICO). Another breach against SITA, an airline data processing company, saw data from multiple airlines exposed.  When asked about any risks beyond GDPR, Thibaut noted some disturbing trends among threat actors, “there’s a bunch of groups looking to collect PNRs as part of surveillance. There are groups like Chimera, APT39, and others that use the information within to target people.

A PNR can have more information than just flight data, items like hotels, car rentals, and more can be included. It’s a valuable resource for those looking to follow people.” “Another risk to be considered is fraud. Airline tickets are expensive and people are looking for deals that make them prime targets. With what is available it would take some investment for treat actors to turn a profit, but it is possible via some sort of phishing campaign,” noted Thibaut.

As CybelAngel’s research “Flying Blind in Third-Party Ecosystems” notes, “fake tickets and rebookings accounted for $1 billion in fraud in 2020”.  “Having identified that there are real risks to our client, the next goal is to understand where this leak originated and to gather as much information as possible.

Attribution is vital

Attribution is possibly the most important part of our investigations,” stressed Thibaut.  “Our clients or points of contact do not always have knowledge of who they are working with, who is in charge of what project, etc. Being able to direct our clients to the problem, and showing what needs to be fixed helps speed up the remediation process.

That information can then be turned into stronger contract language and processes to prevent incidents like these. It’s not just about fixing current issues but helping the client avoid future ones too,” explained Thibaut. 

CybelAngel’s world-leading external risk protection platform detects and resolves external threats well before they’re exploited. Named a “Best of Breed” by Gartner in 2021, organizations worldwide rely on CybelAngel to discover, monitor, and resolve external threats. We protect our clients across all layers of the Internet, keeping their critical assets, brand, and reputation secure.