[BreachExchange] United Airlines cockpit codes accidentally leaked

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 15 19:10:35 EDT 2017


The confidential codes required to access United Airlines' cockpits have
been accidentally leaked to the public in what the airline calls a mistake,
rather than a data breach.

On Sunday, the Wall Street Journal reported that the airline sent out a
blast alert to employees over the weekend warning them of the inadvertent
code leak, caused by a flight attendant who posted the information online.

Within the email sent to employees, the airline said that a "corrective
action plan" had been launched, but by following flight deck security
procedures already in place the risk of a breach of the flight deck door is
"strongly mitigated."

The incident has been reported to the Federal Aviation Administration (FAA)
as the use of the cockpit codes could give individuals unauthorized access
to pilot compartments, and in today's world of terrorism and the risk of
planes being attacked or hijacked, such an information leak could be
dangerous to crew and passengers.

United Airlines spokeswoman Maddie King confirmed the issue to CNN, saying
that the information was "inadvertently made public." King rejected the
idea that the data leak was the result of a cybersecurity breach.

Speaking to CBS News, a pilot said he suspected United Airlines would need
to change the code lock on the cockpit doors, but this will likely be
time-consuming as they have to be done manually on a plane-by-plane basis.

"The safety of our customers and crew is our top priority and United
Airlines utilizes a number of measures to keep our flight decks secure
beyond door access information," the company said in a statement. "In the
interim, this protocol ensures our cockpits remain secure. We are working
to resolve this."

United Airlines has enjoyed little positive press in recent times. After
passenger Dr. David Dao was forcibly dragged off a flight to make room for
staff in a manner which left him with facial injuries, the airline was
forced to apologize and offered what was likely a substantial amount of
compensation to prevent the firm being taken to court.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170515/9f87b7ee/attachment.html>

More information about the BreachExchange mailing list