Scandinavian Airlines (SAS) was the victim of a cyber attack on Feb. 14, 2023. The hack caused the website and the mobile application to be down for hours. In addition, for several hours after the systems came back online, it was possible for customers to view other customers' data, including credit card information, booking dates and address information.
Who was responsible for the SAS hack and what was their motive?
We can imagine that for most employees and customers of SAS (or any other airline), it’s not that important to know who the attacker was. From a security team's perspective however, it is crucial to know, as we often see certain attack groups targeting specific industries. This way, they can specialize and improve their attacks every time.
The group that claimed the hack on SAS is called 'Anonymous Sudan'. This group claims they always carry out attacks with a politically colored motive, which in this case was 'climate driven'. In the security industry these groups are known as 'hacktivists’. The specialty of this group is using DDoS attacks, which are attacks that cause the victim's systems to be (temporarily) unusable.
Need help about how to deal with hacktivism?
For hours, no new tickets could be sold and systems were unusable. Logically, this had a huge impact and resulted in severe financial damage for SAS. From the perspective of ‘Anonymous Sudan’, the attack certainly was a success.
What can we learn from the SAS hack?
After the attack, SAS immediately published a statement, which is great. At the same time, their statement somewhat downplayed the attack by stating that no other data was stolen and assuring passengers that the stolen data didn’t hold anything of use.
The latter in particular is a risky statement, because SAS hadn’t fully completed their investigations and couldn’t guarantee that the data didn’t fall into the wrong hands.
Could another airline become a victim?
Of course, this can happen to another airline as well. However, you can minimize the chances hackers become successful by:
- Keeping associate airlines around the world well informed about what’s going on in terms of ‘cyber’.
- Continuously monitoring systems for ‘suspicious traffic flows’.
- Reporting suspicious activity immediately to the appropriate (security) department.
- Reporting slow or inaccessible systems to the appropriate department, as this is often a first sign of a DDoS attack.
It’s important to note that hackers often use the inattention of employees to successfully carry out their attacks.
How can users recognize DDoS attacks?
As a user, you may notice that the internet connection is slow or unresponsive. Next to this, the device you’re working on could have trouble accessing websites, online services and business applications. These could be signs of a possible DDoS attack (Distributed Denial of Service).
You can also check if other users are experiencing the same issue(s). If you suspect a DDoS attack has been initiated, it is important not to click on suspicious links or download files from unknown sources, as these may be part of the attack. When in doubt, report your suspicions immediately to the appropriate department.
If you are unsure which department this is, it’s important to find out as soon as possible. In most cases, you can get this information from your support department or the IT helpdesk.
Conclusion
Security teams should always try to identify who is behind an attack, because certain attack groups may target specific industries.
Airlines can minimize the chances of an attack being successful by keeping an eye on what is happening at competitors or partners. It is also important that colleagues know what suspicious activity is and to which department they need to report this to.