French airplane and military aircraft behemoth Airbus SE has become the latest victim of a cyberattack leading to a data breach, with an incident detected on its “commercial aircraft business” information systems.
It is only the latest high-profile data exposure to come to light in recent days, and it dovetails with the release of billions of records on the Dark Web as part of a data dump that’s being called “Collections #2-5.”
The company said on Wednesday that the incident resulted in unauthorized access to employee data, but that there was no impact on Airbus’ commercial operations or intellectual property.
“Investigations are ongoing to understand if any specific data was targeted, however we do know some personal data was accessed,” the aviation giant said in a short notice on its website. “This is mostly professional contact and IT identification details of some Airbus employees in Europe.”
Details are scant for now, in terms of how many employees are affected and how the incident took shape. Airbus said it has notified authorities in compliance with the General Data Protection Regulation (GDPR), and noted that investigators are trying to find out the origins of the incursion.
Irra Ariella Khi, CEO of VChain, said that it seems likely that a review of Airbus’ data storage systems is in order.
“The security breach against Airbus is another example that current processes for storing sensitive data are not fit for purpose,” he told Threatpost. “Holding data on centralized, vulnerable systems is making it easy for hackers. We urgently need to move to systems built using privacy by design principles – where data security and obscurity are built into the system – and data is not in a box that is inevitably breached. Personal data of employees, operatives, or passengers held by those operating in the aviation industry is highly sensitive. The industry is highly regulated for a reason: data security is vital for ensuring safety. Whatever the motivation of the attack is, we should not be making it so easy to access data.”
Simon Whitburn, senior vice president of Cyber Security Services at Nominet, told Threatpost that if data protection authorities determine that Airbus was improperly handling personal data or storing it in weak repositories, it could result in a GDPR fine.
“The data breach suffered by Airbus is another in a growing number of large corporations suffering an attack,” he said. “Where they have been fortunate is that it doesn’t seem to have impacted their commercial side as it did with British Airways last summer. However, they could still face a fine under GDPR regulations as the details of EU workers were exposed.”
He added that preventing opportunistic attacks requires several layers of security measures.
“Ensure that any outward facing servers are secured with strong passwords and multifactor authentication,” he explained. “Install a culture of cybersecurity within the organization itself, with training for all staff to help then spot suspicious emails and feel confident in asking their superiors to confirm instructions that they send over email. By having many layers to their security, it can help detect breaches at a much earlier stage as well.”
Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.
Collections #2-5
While breaches continue to make headlines, a fresh compilation of some 2.2 billion stolen account records — dubbed Collections #2-5 — is being traded on the Dark Web, researchers say.
Discovered by researchers at the Hasso Plattner Institute in Potsdam, Germany, the trove equals 845 gigabytes of stolen data and 25 billion records in all before de-duping. It contains roughly three times as many unique records as Collection #1, which Troy Hunt of HaveIBeenPwned found earlier in January. That tranche contained 773 million unique usernames and passwords.
The German news site Heise.de reported that most of the ill-gotten credentials have been acquired via the well-known compromises of Yahoo and others that stretch back years. However, the Plattner Institute analysts told the outlet that 750 million credentials weren’t previously included in their database of leaked usernames and passwords; also, 611 million of them weren’t included in the Collection #1 dump.
“2.2 billion records is a staggering number,” said Frederik Mennes, senior manager of Market & Security Strategy, Security Competence Center at OneSpan, via email. “Companies should remember that easy targets will continue to be exploited first, because cybercrime follows the path of least resistance. Applying multi-factor authentication may stop an attacker as the attacker might go after only users that have not enabled stronger authentication.”
He added, “We are becoming accustomed to breach notification news, but sad to say, the use of multi-factor authentication is still not utilized whenever and wherever possible. MFA combines at least two out of three of the following technologies: something you know (such as a PIN), something you have (such as an authentication app on the smartphone) or something you are (such as a fingerprint or facial recognition). The passwords that are generated only last for a limited period of time, which makes it useless for hackers to intercept and reuse them.”
Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.
