[BreachExchange] Cyber security is being tightened at Australian airports after an identity card data hack

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jul 19 19:00:44 EDT 2018


https://www.businessinsider.com.au/identity-card-data-
hack-data-breach-australian-airports-2018-7

A data hack at a company which issues aviation industry security identity
cards is being investigated by the Australian Federal Police as federal
authorities tighten cyber security at airports.

The breach, which potentially exposed personal details of those applying
for a security check, occurred at the website of Aviation ID Australia, a
company providing Aviation Security Identity Cards (ASIC) to regional
airports in Australia.

Authorities and the company are saying little. We only know the hack
occurred because the company, as required under new reporting regulations,
informed users in an email.

The Notifiable Data Breaches amendment introduced in February this year
only requires the affected parties be notified of the loss of personal data
likely to result in serious harm. There is no requirement to make public
the extent of the breach or even announce that a hack has occurred.

>From the emails sent to those affected, we know that the information at
risk, what “may have been breached”, according to the company, includes the
type of information very useful to those wanting to steel identities: name,
street address, birth certificate number, drivers licence number, Medicare
card number and ASIC number.

The company told its customers that “a localised portion of our website has
been intentionally accessed by an unauthorised entity”.

The Australian Federal Police has confirmed it is investigating a potential
breach of the Aviation ID Australia website.

“While the investigation remains ongoing, it is not appropriate to provide
further details,” says a police spokesperson.

Asked about the extent of the hack and the airports affected, the Civil
Aviation Safety Authority said: “As the Federal Police have an ongoing
investigation we have been asked not to release any details.”

The Department of Home Affairs, which runs airport security, says it is
aware of the cyber incident involving Aviation ID Australia and is working
closely with all aviation and maritime security identification card (ASIC
and MSIC) issuing bodies to increase cyber security.

“Australia has a comprehensive and robust transport security system,
designed to respond to the threat environment and target the areas of
highest risk,” the department says.

“The Aviation ID Australia cyber incident would not enable someone to
fraudulently produce another ASIC or MSIC. The cards are protected by a
proprietary security feature and are produced under secure conditions.”

The department says the ASIC is not an access card and only indicates that
the holder has had a background security check.

But the card is an essential for airport workers. Without it they cannot
get into secure areas. The website of the Civil Aviation Safety Authority
says: “You need a valid ASIC if you require frequent access to a secure
area of a security controlled airport.”

The Department of Home Affairs says airport and seaport owners and
operators are responsible for access control to secure areas.

“It is not appropriate to provide further details while the investigation
remains ongoing,” the department said.

Brisbane Airport, which does not use the hacked provider, told Business
Insider: “The Australian Government has written to all ASIC Issuing Bodies
directing them to take certain actions (where needed) to provide higher
levels of assurance around the protection of personal data including, but
not limited to, external cyber security audits on a re-current basis.”

There are more than 30 providers of Aviation Security Identity Cards. The
larger airports, such as Sydney, have their now issuing body, doing
security background checks and confirming identities in-house.

The cards must be worn when accessing secured areas at airports. Pilots
typically wear one of them plus an airport security access card.

Industry sources say ASIC cards are extremely important.

“If I misplace mine even for a day it’s really tricky to get temporary
access,” a senior commercial airline pilot told Business Insider.

“They are taken very seriously and certainly it is the only way for workers
to be allowed airside to do our jobs.”

One provider, Security ID, says its data has not been compromised.

“Our systems are robust, complying with recommendations of the Australian
Cyber Security Centre and are subject to audit,” it says.

Aviation ID Australia, the company which was hacked, is based at Merimbula,
NSW, and mainly services rural and regional airports.

It’s not known which airports are its customers but none of the major city
airports are affected.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180719/e44bdfea/attachment.html>


More information about the BreachExchange mailing list