Cybersecurity researchers have found a data leak incident concerning a Turkey-based firm Pegasus Airlines, which exposed their AWS S3 bucket that contained EFB or Electronic Flight Bag data on the web. The researchers explained that the exposed data was left without password protection, thus resulting in the leak.
The Turkish airline company has partnered with PegasusEFB, which owns the open bucket. Many airlines globally have used the company’s software in their daily operations, including Pegasus, Air Manas, and IZair. PegasusEFB utilised the compromised AWS S3 bucket for pilots’ aircraft navigation, such as takeoff and landing, refilling fuel, safety measures, and other significant in-flight procedures.
Numerous data of PegasusEFB included in the bucket were left exposed online, allowing anyone to access them easily. The source code of the EFB software is also included in the leak that contained plain-text passwords and other critical keys that anyone could exploit for system infiltrations.
The total amount of data exposed from Pegasus Airlines was 6.5TB, consisting of 23 million files that could affect the security of their passengers and crew members, alongside other affiliated airlines that use PegasusEFB software.
Researchers immediately reached out to Pegasus Airlines upon learning of the breach on their AWS S3 bucket and had it secured. The open bucket data exposure included sensitive flight data, EFB software source code, and crew PII.
Two of the most dominant sensitive data compromised in the incident include over 3.2 million sensitive flight data and 2.9 million spreadsheets and acceptance forms. Meanwhile, the crew PII exposure consists of over 1.6 million files of the airline staff’s photographs and signatures.
About 400 files in different formats were also stored in the compromised open bucket for the PegasusEFB software source code.
As of now, security researchers are uncertain whether malicious actors had already abused the compromised PegasusEFB open bucket. From the overall extent of the exposed data of Pegasus Airlines, millions of people are at risk of potential cyberattack threats.
Additionally, the compromised source code stored in the open bucket could be configured by malicious actors in ways the researchers have yet to uncover. Nevertheless, considering how advanced most of the threat groups are now, numerous attack vectors could be carried out from the breached data of the airline’s passengers and flight crews.