The airline industry has embraced technology to improve efficiency and safety, but this is giving rise to some significant cyber and dependency risks.
IT systems are integral to airlines’ ground and flight operations. The continued growth of the global civil aviation industry combined with rapid tech developments is, however, driving greater dependence on technology.
“It’s hard to think of a business that’s exposed to the risk of data breaches, IT outages and operational failures on the scale and severity of an airline,” says Sarah Stephens, Head of Cyber, Content and New Technology Risks at JLT Specialty.
Breaches and disruption
Aviation faces a wide range of cyber risks, from both malicious attacks and technical malfunctions.
As holders of sensitive personal information, airlines face substantial data protection and cyber liability risks. Several have suffered large data breaches, such as the April 2018 cyberattack on a third-party chat service used by Delta Air Lines in which several hundred thousand customers may have had their names, addresses and payment card information exposed.
Airlines are also exposed to potentially costly disruption to their daily operations as a result of attacks or system outages. This can result in lost revenues, additional expenses, disgruntled customers and reputational damage.
IT outages, whether due to attacks, technical faults or human errors, can affect systems essential to the running of an airline, such as reservations, check-in and air-traffic control.
In May 2017, at least 75,000 travelers were grounded over three days as British Airways' information technology systems crashed and hundreds of flights were cancelled. The incident cost the UK carrier's parent company about GBP 58 million.
In August 2016, a power cut crashed Delta Air Lines’ check-in system, causing long delays and the cancellation of 2,300 flights. The outage is expected to cost the company USD 150 million.
Cyberattacks have also been known to cause disruption to airline operations. In 2015, over 1,400 passengers with Poland’s national carrier LOT suffered delays due to a distributed denial of service attack against the airline. LOT’s chief executive warned that further cyberattacks were likely and could affect any airline at any time.
Even more worryingly, cyberattacks could have far worse than financial implications; they could undermine safety.
There are indications that hackers can access aircraft flight controls and air traffic systems: some commentators suspect that hackers were behind the outage of the Swedish air traffic control system in 2015.
Security experts and penetration testers have identified vulnerabilities in aircraft systems too. One claimed that he repeatedly hacked a US passenger plane via the entertainment system and was able to manipulate the plane’s engines inflight. Another boasted that he could take over an aircraft’s steering system using a mobile phone.
“Given the increasing sophistication of cyberattacks, the industry fears the possibility of on-board navigation systems being hacked,” Stephens affirms. “The property damage, bodily injury and business interruption claims would be debilitating even for the largest airlines if they were unable to recover these losses through insurance”.
Fortunately, the cover available in the hull and liability market that protects airlines from physical damage and liability in air accidents – generally without any specific restrictions to cyberattacks or technology malfunctions – would normally be covered by aviation insurance.
Importantly, however, a major air disaster has never been conclusively proved to have been the result of a cyberattack. So, the insurance market’s reaction to such a claim remains untested.
In terms of existing insurance, airlines have been most interested in filling two gaps not covered by the traditional aviation insurance market:
- Firstly, the costs and liabilities of a data breach. This is understandable, given the amount of personal data they hold and the headline news impact of such breaches in other sectors. The retail industry, for example, saw 417 data breaches in 2016, compromising more than 60 million records.
- Secondly, the business interruption and extra expenses resulting from a cyberattack or system glitch. These costs can be significant.
Cyber policies can cover these risks, from both attacks and system failures, Stephens explains. “Cyber insurance can cover the expenses of dealing with a crisis, including recovery, investigations, customer notifications, litigation costs, liabilities and compensation,” she says”. “It can also cover loss of profits caused by system outages.”
"As the cyber risks facing aviation companies expand, cyber insurance is set to play an increasing role in helping the industry to keep flying.”
Airline Cyber Attacks
Delta Air Lines 26 September 2016 to 17 October 2017
A malware present in the software of a third-party chat service, 7.ai, used by Delta Air Lines may have compromised payment information of several hundred thousand customers of the airline. Delta Air Lines was informed about the cyberattack on 28 March 2018 by the third-party service provider.
Vietnam Airlines 29 July 2016
A website breach by hackers released confidential customer data, including the names, addresses and birth dates of 400,000 members of Vietnam Airlines' frequent flyers' club. The hackers accessed screens displaying Vietnam Airlines' flight information and took over the tannoy system, airing political messages regarding China's claim to the South China Sea.
LOT 21 June 2015
More than 1,400 passengers at Warsaw's Frederic Chopin Airport were grounded due to a cyberattack. The incident prevented the airline from creating flight plans, grounding scheduled flights until the issue was resolved.
British Airways 27 March 2015
British Airways reported that the accounts of its frequent flyer programme were compromised as members were sharing credentials on an online service that could have been hacked. Tens of thousands of British Airways Executive Club accounts were illegally accessed via credentials stolen from a third party and the attackers redeemed members' reward points.
For further information, please contact firstname.lastname@example.org.