As an industry, airlines control huge volumes of customer data across extensive networks, operate one of the most complicated vendor and supplier networks of any industry, and are substantial contributors to national GDP both as an employer and as a transportation operator.
Despite being a USD2 trillion industry, razor-thin margins mean that the operational or financial implications of a cyber event cause serious challenges for an airline operator.
Malicious Cyber Events are often the hardest to predict and can cause the most reputational harm. With the intent of disruption operations in the hope of inciting an element of customer panic or direct financial loss, these events can materialise in a number of ways:
- Data or system degradation causing interruptions to flights
- Cyber extortion
- Privacy breaches or network security events
E-Cyber is designed to protect airlines against these malicious cyber attacks providing comprehensive coverage for crisis management in identifying and resolving the cause of the cyber or extortion event, as well as offering the financial protection for any fallout, such as:
- the increased cost of working or direct loss of net income due to the covered event
- defence costs and any subsequent damages or fines which may be incurred as a result of the event
Data manipulation, ransom, and breaches are a major concern for airlines given the high volume of Personally Identifiable Information they collect, which varies from passport and ID credentials through to credit and banking information, or even health records. This data is shared across an extensive employee network and multiple jurisdictions making data management extremely complicated.
Whether the data is corrupted, exposed, or held ransom, E-Cyber is designed with an understanding of the inherent exposure airlines encounter in managing large data repositories. The policy is designed to cover the cost to the company of managing through a data breach, or a ransom event, as well as data restoration in the event of a cyber event. The policy further extends to consider the legal and regulatory implications of data breaches or any damages due to third parties not being able to access data.
Much like data management, maintaining network integrity presents a serious challenge, as inadvertent System Failures can be just as disruptive as malicious cyber attacks. Whether the failure is caused by negligence or mistake in managing the company’s system, a programming error, or a malfunction or failure of the company’s system, the airline’s operational outage will cause financial loss.
Many of these system exposures are intended to be covered within the E-Cyber policy as the triggers for business interruption and the liability sections extend beyond malicious acts and to the practicalities of managing a centralised network, from front end sales to back end flight operations, across a regional or even global infrastructure. As a result, we handle many of these system interruptions as if they were malicious and would look to provide coverage for event management to identify and resolve the system failure, the increased cost of working or direct loss of net income due to the covered event, or any defence costs and any subsequent damages or fines which may be incurred as a result of the event.
November 2015 – A major hotelier was the subject of a cyber attack. Malicious software was found on some point of sale systems and affected franchised restaurants, coffee bars and gift shops within their hotels and properties. The breach persisted over a 17 week period. The data stolen included credit card information and social security information.
March 2015 – A restaurant chain was closed for over a week after its point of sale and back office systems were infected by ransomware. The restaurant was unable to operate without access to these systems. A hefty ransom was demanded.
June 2014 – A large takeaway pizza company was a victim of a ransomware attack. 650,000 customers records were compromised and a ransom of €30,000 was sought as a bribe.
September 2013 – A large restaurant chain with 33 restaurants in various locations suffered a significant data breach over an 8 month period. During this time, credit card details and personal data had been stolen as part of a highly sophisticated criminal operation.
March 2015 – A large hotel group was subject to a cyber attack affecting 10 of its hotels worldwide. The hacker used malware to acquire the credit card numbers of individuals who used a credit card for dining, beverage, spa, guest rooms, or other products and services.
February 2015 – A large hotel lodging company reported two data breaches in a year, following a number of complaints of fraud on customer credit and debit cards that were all recently used at a string of hotel properties run by hotel franchise firm. The company suspected breach of point-of-sale systems at 10 locations.
Throughout 2011 – Two men from Romania admitted to participating in an international conspiracy that hacked into credit-card payment terminals at more than 150 fast food restaurant franchises and stole data for more than 146,000 accounts.
2006 – Failures with an online booking system left a hotel unable to accurately manage its bookings, resulting in financial loss from under-occupancy and damage to reputation.