It has been revealed that a low-cost Turkish airline mistakenly disclosed the personal information of flight crew members, as well as source code and flight data, after misconfiguring an AWS bucket. On February 28, a research group from security comparison site SafetyDetectives revealed that cloud data storage had been left wide accessible. Some parts of the stolen data were traced back to Pegasus Airlines’ Electronic Flight Bag (EFB) software.
EFBs are information management tools that help airline crews be more productive by providing them with important reference resources for their flight. About 23 million files were discovered on the bucket, roughly 6.5TB of exposed data. More than three million files containing sensitive flight data were found, including flight charts and modifications, insurance documents, specifics of concerns discovered during pre-flight checks, and crew shift information.
Personal identifying information (PII) about airline staff, such as images and signatures, was found in more than 1.6 million files. The trove also contained source code for Pegasus’ EFB software, as well as plain text credentials and secret keys. SafetyDetectives believed that the leak may have allowed malicious actors access to very sensitive information, in addition to the possible privacy consequences for crew members.
“Bad actors could tamper with sensitive flight data and extra-sensitive files using passwords and secret keys found on PegasusEFB’s bucket. While we can’t be certain that pilots will use the bucket’s files for upcoming flights, changing the contents of files could potentially block important EFB information from reaching airline personnel and place passengers and crew members at risk,” it said.
According to the report, crew members might be subjected to blackmail by organized criminal organizations. The information housed in the data repository could aid bad actors in identifying security flaws in airports and airlines. However, there’s no evidence that any malicious actors discovered the database before the research team. Pegasus Airlines was notified on March 1, and SafetyDetectives found that the leak was fixed three weeks later.