Some pilots (and hopefuls) for American and Southwest Airlines may need to take steps to protect their identity, as a third party vendor has disclosed a data breach that involves an applicant portal it maintains.
Pilot Credentials allows pilots to upload their training history and professional experience to work with recruiters, and both American and Southwest have contact portals on the site that allow for job applications to be initiated directly. These portals appear to be the focal point of the data breach, with each airline disclosing that thousands of records containing sensitive personal information were exposed.
American and Southwest data breaches exposed pilot ID and social security numbers
Airlines have had a number of serious data breaches in recent years; American has already had three prior incidents just since 2021. The odds are about even that a third party vendor will be involved, but recent studies have found that this is the most likely avenue of attack for a hacker for all types of businesses.
Third party vendors that are smaller than the partner company are likely to have poorer cybersecurity. There is not much that an organization can do in these situations but bake security requirements into the contractual agreement and hope for the best. Going forward, a vendor’s history of data breaches could very well become a major factor in the screening process in the near future, but at the moment surveys indicate that partner companies are just not tending to keep very good tabs on them.
Reporting requirements also still have a certain level of slack, at least compared to countries with a strong national regulatory standard. The Pilot Credentials breach took place at the end of April and was reported to the airlines by May 3, but data breach notifications were not filed until late June. The breach involves sensitive information: Social Security numbers, dates of birth, passport and driver license numbers, and other forms of identification. American says that it lost 5745 records, while Southwest reports 3009.
The stolen information has not yet appeared on the dark web, and there is not yet any indication as to who attacked the third party vendor. An insider would likely be the best situation for victims, offering the greatest possibility of recovering the data before it spreads. But the most likely cause is a criminal hacking gang that will at some point sell or dump it on the dark web.
What can be done about third party vendor data breaches?
While data breaches might seem to be an inevitability at this point, there are methods that can virtually eliminate them, primarily encryption at rest and tokenization. But when the primary concern is cost, these methods often lose out to simply eating the price of the occasional breach. There are also some well-founded fears that these systems will overcomplicate things internally, slow things down too much, break legacy systems, and fail to scale as needed.
In addition to reviewing contractual agreements to ensure that partners are being properly audited at acceptable intervals, an immediate improvement that organizations can make is visibility into and communication across the IT environment. The idea is to more quickly spot unusual behavior originating from third party vendors and have a practiced response in place for data breaches from these sources.