MO:SES - Fotolia

United Airlines hack could signal bulk spying campaign

The latest United Airlines hack makes the case for better data breach notification laws and better network activity monitoring capabilities

The breach of United Airlines in the US could be the latest in a series of attacks that form part of a nation state bulk intelligence gathering campaign, say security experts.

The attack makes the case for better data breach notification laws and better network activity monitoring capabilities.

United has reported that its computer systems were breached in May or June 2015. Investigators have linked the attack to a hacking group with connections to the Chinese government.

The hacking group is also believed to be responsible for the theft of personal data records from the US Office of Personnel Management (OPM) and health insurer Anthem, according to Bloomberg.

The data stolen from United is thought to include information on flights’ passengers, origins and destinations.

“Nation states have the resources available for a clear line of offense that sets them apart from other classes of attackers,” said Casey Ellis, chief executive of security firm Bugcrowd. 

“There is clearly a concerted bulk intelligence gathering effort underway, with a focus on personal information,” he said.

According to Ellis, companies should be ensuring that the front doors are locked and well protected in terms of vulnerability detection and removal, preventative controls, anti-phishing training and controls and the segmentation of key assets, as well as keeping a close eye on the movements of core assets.

Traditional defences not enough

Security experts believe the hacking group is amassing a vast database of files that could be cross-referenced to identify US citizens working in defence and intelligence with security clearance who might be open to recruitment or vulnerable to blackmail.

The theft of airline flight records has raised concerns that hackers could potentially track travel patterns for specific government or military officials, while some commentators suggested the hackers may have been seeking to establish access to United’s systems for later use in disruptive attacks.

“The airline industry is going to have to quickly realise they make up a critical part of infrastructure that appeals to nation states and hacktivist groups. They need to do a better job hardening their systems,” said Stewart Draper, director of insider threat at Securonix.

“This is the second breach for United Airlines in the past 12 months and the FAA [Federal Aviation Authority] will need to prioritise industry level discussions around cyber security,” he said, adding that emerging behavioural analytics technology could play a significant role in the speed of detection and remediation of breaches.

Organisations are turning to behavioural analytics as the technology and underlying systems mature and they realise that traditional, signature-based defences are no longer enough, according to Matthias Maier, European product marketing manager for security intelligence firm Splunk.

Attackers are becoming better at stealing user credentials or tricking people into sharing their credentials, which means they are able to access corporate IT systems as legitimate users, hence the need for behavioural analytics, Maier told Computer Weekly.

Tim Erlin, director of IT security and risk strategy for Tripwire said, like other recent breaches, the hackers appear to have been inside the airline’s network for months before being detected.

“It’s clear standard detection tools are simply not performing or are not implemented correctly. Large companies and government agencies need to take a critical look at how they can identify what’s changing in their environment, as well as assess how those changes affect their security posture and attack surface,” he said.

Considering this breach is not likely to require disclosure in most US states based on the current laws, Erlin said the United breach should give the White House fuel to promote a national breach disclosure standard. 

“There are few citizens who wouldn’t want to know if their data was included in this kind of breach,” he said.

Call for data breach law

According to US reports, it is unclear whether United is considering notifying customers that data may have been compromised. A United spokesman said the airline would “abide by notification requirements if a situation warranted [it]”.

In January 2015, US president Barack Obama called for a single US data breach notification law among a raft of proposed legislation to improve US data security.

Tripwire’s chief technology officer Dwayne Melancon said anyone who suspects their personal data may have breached should consider free credit monitoring and identity theft protection services.

“There’s no way to easily change the personal data stolen in this breach – it’s not like a credit card fraud. This means you’ll need to carefully monitor any changes to your finances. In addition, beware of any emails or calls regarding this incident as they are almost certainly fraudulent,” he said.

Melancon also advises changing the answers to “secret questions” used to validate identity online, especially if they use personally identifiable information. 

“Make up your own questions and answers or use fictitious answers that are memorable to you to prevent criminals from guessing their way into your online accounts,” he said.

Read more about data breaches

Read more on Privacy and data protection