Content |
History
2022
Leak of 6.5 TB of data from crew members and software sources leaked
The Turkish low-cost airline Pegasus Airlines, popular with Russians, accidentally leaked data on its flights and personal information of crew members. This was announced at the end of May 2022 by the information security company SafetyDetectives. IT specialists incorrectly configured the cloud data storage, as a result of which about 23 million files or 6.5 TB of data were freely available, including flight information, source code of Electronic Flight Bag software and employee data.
Cybersecurity researchers at Safety Detectives could not establish whether the attackers were able to access PegasusEFB's unprotected AWS S3 kernel for reading or whether they were able to download files. The research team discovered a cloud-based data warehouse left open as early as February 28, 2022.
The Electronic Flight Bag system is an information management tool designed to optimize the performance of the airline's crew by providing the necessary background materials for their flight. Pegasus Airlines actively used EFB for domestic needs.
{{quote 'AWS S3 containing Pegasus Airlines Electronic Flight Bag (EFB) information was left unprotected with a password, which led to the leakage of a number of confidential flight data. The information was related to the EFB software developed by PegasusEFB, which pilots use to navigate the aircraft, take-off and landing, refueling, safety procedures and various other processes in flight, said cybersecurity specialist at Safety Detectives Colin Thierry. }} The researchers added that files from AWS S3 remained available and could allow any user to delete, modify or upload data to additional encrypted or password-protected databases, files and folders that date back to July 19, 2019. Cybersecurity specialists Safety Detectives say they did not verify those credentials for ethical reasons. The information posted, according to the researchers, could affect the safety of each passenger and crew member of Turkish Pegasus Airlines around the world. Affiliated airlines using PegasusEFB could also be affected, experts add.
The following data were at risk:
- Acceptance forms that detail minor problems detected during pre-flight inspections;
- Flight maps and revisions used to assist in navigation and landing;
- Spreadsheets containing information on airports, flights and crew changes;
- Documents and memoranda, including insurance documents, permits and safety instructions;
- Security integrity level, logs containing rules and source code.[1]
Suspension of flights to Russia
The Turkish airline Pegasus has suspended all flights to/from Russia from March 13 to 27, 2022 "due to operational risks" amid EU and US sanctions related to Russia's special operation in Ukraine.