Hacking attacks on airlines up 1500% in two years

Closeup electronic circuit board

Airlines don’t want you to know, and the most vulnerable ones won’t even talk about it, some are prepared to say they’re doing their best, but in many cases there’s nothing they can do about it.

Most attacks are common DDNS strikes, not really hacking, but ‘distributed denial of service’ – creating tens of thousands of automated requests on the website that so overwhelm it, it becomes either so slow as to be inoperable, or simply crashes.

These have occurred, according to security consultants who watch these things daily, on at least 12 occasions in the last 9 months, bringing down several airlines servers, either in full or in part.

Outages can be very damaging, even those that last an hour or so can delay hundreds of flights and have knock effects around the world as aircraft and crews don’t arrive when and where they should, never mind the damage to passengers itineraries. Then there’s the knock on effect of compensations, re-bookings, and on and on.


One airline has admitted its personnel records have been attacked, but it stopped it in time, others have said privately that everything from catering supply chain systems to fuel delivery have either been compromised or very nearly, but nobody will go on the record and admit it openly.

One of the target areas that some airlines seem to have a hard time seeing as important enough to protect are mileage reward schemes.

Unsurprisingly, Lufthansa in my experience, and it’s Miles & More scheme is one of the better protected. So far the best airline I’ve experienced for dual authentication protocols that are dependent on a separate authenticator app and not just a text message, is Finnair, but it’s not compulsory.

Indeed most airlines seem to be happy to permit convenience to outrank security, even though it’s pretty clear that some are pathetically poor.

Finnair take online security seriously

One airline I deal with regularly, recently upgraded its membership security – which you have to remember gives them access to your bookings, meaning they could cancel them if they chose – by adding more numbers to the membership account detail, and allowing an 8 digit password – up from 6. Less than 12 is considered very weak, not permitting special characters vastly undermines the safety of the password – so that’s just what they did, prevented their use. They moved from a system that was weak in 2004 to one that was weak in 2010 – in 2018.

Theft of reward miles – simple password hacks – is rampant because of poor password security. Thieves don’t book flights, they swap the miles out to other accounts, then spend them on the other shopping items most airlines offer. 90% of reward miles owners don’t look at their accounts more than twice a year, giving mileage thieves plenty of time to get away with the theft. They’re long gone by the time anyone notices.

A recent statistic showed that the amount of hacking on airline servers had risen from 156Gb/sec bandwidth to over 800Gb/sec at key points in attacks – that is simply vast, and shows determined efforts to destroy an airlines credibility.

Why? Who knows? Mostly it’s because they can. Undoubtedly some may gain finacially – betting against stock values if the news breaks for example, deliberate political motives, and simple mischief making and hacker point scoring. Whatever the reason, attacks are growing in depth and sophistication, airlines seem to be doing very little more than the minimum to meet the challenge, just hoping they won’t be next.