03 July 2023
Out of Sight,
Out of Mind
The Importance of Supply Chain Security for Aviation and Insurance
In early June, British Airways (BA) and Aer Lingus announced that they had been impacted by a cyberattack against a popular file transfer company, MOVEit. Joined by a host of UK and Irish entities impacted across the public and private sector – Boots, Shell, Ofcom, TFL, the BBC and the Irish Health Service Executive (HSE) – it is believed that the personal data of thousands of employees may have been compromised and exposed. Within a matter of days, the hackers had issued an ultimatum to all victims, “negotiate with us in the next 7 days or we will publish all of your stolen data online.”
For the aviation industry – which has experienced an exponential rise in cybercriminal activity since the pandemic – the attack may be yet another wakeup call, not just in terms of the overarching threat posed to an organisation’s cyber defences, but more pointedly from the threat now posed from the sectors’ increasingly complex and interdependent technological supply chain. With neither BA or Aer Lingus' internal networks and systems compromised in the attack, how and why were they impacted?
From Zero-Day to Should We Pay?
On Monday 5 June, BA and Aer Lingus confirmed that the personal data of their staff had been exposed to cybercriminals following a data breach impacting one of their third-party service providers, Zellis, a UK-based payroll and HR software provider for some of the largest organisations in the UK and Ireland. The data breach occurred after hackers exploited a recently discovered zero-day vulnerability (a vulnerability that is unknown to the vendor prior to being exploited) in one of MOVEit’s managed file transfer products used by Zellis. Exploiting an SQL injection weakness in the software, attackers were able to gain unauthorised access to MOVEit’s databases, meaning they were able to access and steal data – including data stored by Zellis. For BA and Aer Lingus, confirmed customers of Zellis, the attack on a ‘fourth-party’ supplier, MOVEit, now means that sensitive personal information held about their employees – names, dates of birth, addresses – have now been exposed to hackers.
Attacks of this kind are by no means unique, with cybercriminal groups increasingly turning to organisations lower down the supply chain – such as third- and fourth-party software and technology service providers – as a way of infiltrating those ‘golden’ targets, in this case BA and Aer Lingus, among many others, higher up the chain. A recent study by IBM found that nearly one-fifth of breaches were caused by a supply chain compromise, although this figure is likely to be higher due to many suppliers simply not knowing, or failing to report on how they were compromised.
Within days of the breach being announced, Microsoft had attributed the attack to cybercriminal gang ‘CL0P’, stating that the threat actor had "used similar vulnerabilities in the past to steal data and extort victims". Traditionally associated with high-profile ransomware attacks in the past, the attack this time mirrored a similar zero-day vulnerability exploited by CL0P in Fortra’s GoAnywhere file transfer software back in February this year – with Virgin Atlantic’s Virgin Red rewards scheme, organisations such as Procter & Gamble and Hitachi, and local governments in Toronto and Tasmania all impacted.
Security researchers believe that the MOVEit vulnerability is still actively being exploited and that attackers may have been exploiting the zero-day for a number of weeks (researchers noted an uptick in threat activity after the vulnerability was publicly disclosed on May 31). Stressing the severity of the incident, and its potential global reach, a number of national cyber security agencies (such as the NCSC in the UK and Ireland, and CISA in the US) urged organisations to take immediate action and apply the recommended security updates released via MOVEit’s parent company, Progress Software. But, given what we now know about the attack (and the attackers methods) and supply chain attacks in the past, patching relevant systems may not be sufficient enough. With evidence that CL0P may have been performing network reconnaissance for some time (some experts believe that the attackers may have been experimenting with ways to exploit the vulnerability as far back as 2021), it is crucial that organisations that have used MOVEit at any point in the last few years are now taking active steps to continuously monitor their network, endpoints and security logs for any malicious activity or indicators of compromise.
At the time of writing, CL0P’s ultimatum to all victims to begin negotiating with the criminal gang has now passed. With the full scale of the attack currently unclear, and many organisations (including US government agencies) still coming forward and disclosing breaches, focus will now shift to whether those organisations impacted should look to negotiate with the attackers (and pay a possible ransom to retrieve access to their data), or whether that ship has ultimately sailed and attention should now be paid to post-incident remediation and recovery. As this picture becomes clearer in the months ahead, there will be further questions from a legal and regulatory perspective too, as those organisations impacted will likely face financial penalties from national regulators (see: GDPR in the EU and HIPAA in the US). In 2020, BA were themselves hit by a £20million fine (reduced from £183.39m) from the UK’s Information Commissioner’s Office (ICO) for a data breach impacting 400,000 customers and staff, and will likely face a fine (albeit smaller) once again.
Out of Sight, Out of Mind:
The Importance of Supply Chain Security for Aviation and Insurance
The MOVEit vulnerability – like many of the supply chain cyberattacks we’ve seen over the last few years and the outsized global impact they’ve had (see, for example, the recent Log4j and SolarWinds vulnerabilities) – offers a timely reminder to organisations, particularly those within the aviation sector, that supply chain cyber security must be placed at the forefront of enterprise risk management processes moving forward. It could be argued that, with supply chain attacks continuing to plague organisations globally, that supply chain risk is currently not high enough on the agendas of organisations and their board – it is out of sight and therefore out of mind.
The same cannot be said to be true for insurers where what is called ‘aggregation’ risk is a typical concern. This is particularly true when evaluating aviation risks as the use of shared providers is well-known, especially for example in use cases such as global distributing systems. Coupled with a greater dependency on (critical) outsourced IT vendors and an ever-increasing move to public cloud platforms, this presents greater opportunities for exploit of personal data or exfiltration funds. Events such as the MOVEit example explored here, that have received high publicity and indeed are not limited to the aviation industry vertical, only serve to reinforce these preconceptions often levied against those from the aerospace community and contribute to the challenge in securing appropriate insurance protection. With the aviation industry as vulnerable as any other, due to its growing reliance on a multitude of third-party service providers, it is crucial that airlines are taking more proactive steps to improve their cyber resilience and protect their technological supply chains.
This can be achieved through the better mapping and monitoring of supply chain risks of both third- and fourth-party service providers, to better understand where potential weaknesses and dependencies lie, but also by ensuring that organisations have the right processes and procedures in place to carry out cyber due diligence and auditing of their suppliers (thus ensuring that contractual obligations are in place and that they adhere to recognised industry security standards). Gallagher’s consultancy-led approach can help companies achieve this from the context of the insurance industry, by mapping an organisations security controls against 700+ factors that underwriters are using to assess risk profiles and even assessing what a possible loss scenario would look like.
These reports set out cyber risks within a commercial context – as opposed to focusing purely on the complex technical aspects of interest to internal IT teams, and so are easily understood by an organisation’s C-suite. This helps clients decide how best to allocate resources in terms of investing in infrastructure improvements, recognising that the cyber threat is constantly evolving and that their strategies must never stand-still. Or indeed, whether some of the risk would be best transferred into the insurance market. This approach has helped aviation entities access appropriate insurance cover that would have been otherwise unavailable. While Gallagher have seen some positive signs in the cyber market, it is worth noting that many of these good results have been achieved on risks in financial services, which are the most regulated industries in the world and typically have high capital reserves to invest in their IT security infrastructure. The Consulting team at Gallagher Specialty continue to recommend a holistic view on navigating the evolving cyber threat landscape and engaging with the insurance market.
"It is crucial that airlines are taking more proactive steps to improve their cyber resilience and protect their technological supply chains."
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.