A low-cost Turkish airline unwittingly exposed data of flight crew along with source code and flight data. Early reports say that the exposure happened because of the misconfiguration of an AWS bucket.
A research team from security comparison site SafetyDetectives uncovered that the cloud data was accessible or open on February 28. The researchers tracked the revealed data to Electonic Flight Bag (EFB) software designed by Pegasus Airlines.
EFB are data tools that optimize the efficiency of airline crews by rendering crucial reference flight materials.
Around 23 million files were found on the bucket, and the files amounted to 6.5TB of leaked data. The data consisted of three million files concerning sensitive flight data: flight charts and revisions; insurance documents; details of issues found during pre-flight checks; and info on crew shifts.
More than 1.6 million files had personally identifiable information (PII) on the airline crew, including photos and signatures. Source code of Pegasus’s EFB software was also found in the files and the files had text passwords and secret keys.
Aside from the potential privacy implications for crew members, SafetyDetectives speculated that the leak may have given malicious actors access to highly sensitive information.
“Bad actors could tamper with sensitive flight data and extra-sensitive files using passwords and secret keys found on PegasusEFB’s bucket. While we can’t be certain that pilots will use the bucket’s files for upcoming flights, changing the contents of files could potentially block important EFB information from reaching airline personnel and place passengers and crew members at risk,” it argued.
“With millions of files containing recent and possibly relevant flight data, unfortunately, an attacker could have numerous options to cause harm if they found PegasusEFB’s bucket.”
The data leak can lead to crew members being hounded by organized crime groups and bad actors identifying weaknesses in airport and airline security, states the report.
However, there’s no indication that any malicious actors found the trove before the research team did. After notifying Pegasus Airlines on March 1, SafetyDetectives noted that the leak was remediated around three weeks later.