Airbus investigates personnel data breach

Airbus is investigating a “cyber incident” and data breach in its commercial aircraft business, underlining the fact that no business is immune from such attacks.

The company said “some personal data was accessed” but the intrusion has had no impact on its commercial operations.

“This incident is being thoroughly investigated by Airbus experts, who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins,” the company said in a statement.

Airbus said the professional contact and IT identification details of some of its employees in Europe were known to have been compromised, but that investigations were ongoing to determine whether any specific data was targeted.

The company said it was in contact with the relevant regulatory authorities and the data protection authorities in compliance with the EU’s General Data Protection Regulation (GDPR).

Although the intrusion was detected on 6 January, it became clear that personal data had been affected only four days later, a spokesman said, adding that the French data protection authority, The CNIL, was notified on 11 January.

Airbus staff are being advised to take all necessary precautions, the company said. All those affected by the breach were notified before the breach was made public.

“Robust technical measures are being taken to prevent any further incident. Threats evolve fast and each incident helps us to improve our security”

Pressed for more details about the intrusion, the spokesman said the company was unable to disclose any further information at this stage because the investigation was still under way. 

“Robust technical measures are being taken to prevent any further incident. Threats evolve fast and each incident helps us to improve our security,” he said. 

Acknowledging that Airbus is a prime target for malicious actors, the spokesman said that is why the company has detection and monitoring mechanisms in place. “We also constantly share information with our partners and community,” he said. 

Some security industry commentators say a cyber intrusion at a data-rich company such as Airbus is becoming increasingly common, while others say it demonstrates that organisations have to move away from traditional approaches that are failing to keep data safe.

Max Vetter, chief cyber officer at cyber skills development firm Immersive Labs, said companies that contain highly specialised intellectual property would always be a target for threat actors. 

“A huge amount of capital is poured into the R&D stage in such organisations, a cost that malicious actors can circumvent by trying to steal the resulting data,” he said.

“It is known that some nation states have been using this kind of espionage to speed up the production of technology for years. For this reason, it is crucial that technical countermeasures and cyber skills are continually refined to keep pace with attackers.”

Dan Turner, CEO of network security firm Deep Secure, said that as the latest in a “constant stream of cyber attacks”, the intrusion at Airbus shows that traditional cyber security solutions are not enough to help companies keep their data safe.

“We must assume that hackers are better at attacking than we are at defending,” said Turner. “And that’s why we must go beyond the detect-and-protect approach to cyber security and focus on preventing attacks.”

Turner said the cyber security industry must pursue novel technologies that empower organisations to secure their data effectively.

Irra Ariella Khi, CEO of blockchain-based security firm VChain, said current processes for storing sensitive data are not fit for purpose.

“Holding data on centralised, vulnerable systems is making it easy for hackers,” she said. “We urgently need to move to systems built using privacy-by-design principles – where data security and obscurity are built into the system, and data is not in a box that is inevitably breached.”