A low-cost Turkish airline accidentally leaked personal information of flight crew alongside source code and flight data after misconfiguring an AWS bucket, it has emerged.
A research team from security comparison site SafetyDetectives discovered the cloud data store left wide open on February 28. It traced some of the leaked information to Electronic Flight Bag (EFB) software developed by Pegasus Airlines.
EFBs are information management tools designed to optimize the productivity of airline crew by providing essential reference materials for their flight.
Almost 23 million files were found on the bucket, totalling around 6.5TB of leaked data. This included over three million files containing sensitive flight data such as: flight charts and revisions; insurance documents; details of issues found during pre-flight checks; and info on crew shifts.
Over 1.6 million files contained personally identifiable information (PII) on airline crew, including photos and signatures. Source code from Pegasus’s EFB software was also found in the trove, including plain text passwords and secret keys.
Aside from the potential privacy implications for crew members, SafetyDetectives speculated that the leak may have given malicious actors access to highly sensitive information.
“Bad actors could tamper with sensitive flight data and extra-sensitive files using passwords and secret keys found on PegasusEFB’s bucket. While we can’t be certain that pilots will use the bucket’s files for upcoming flights, changing the contents of files could potentially block important EFB information from reaching airline personnel and place passengers and crew members at risk,” it argued.
“With millions of files containing recent and possibly relevant flight data, unfortunately, an attacker could have numerous options to cause harm if they found PegasusEFB’s bucket.”
Crew members could also be the subject of coercion by organized crime groups, while the information contained in the data store could help bad actors identify weaknesses in airport and airline security, the report claimed.
However, there’s no indication that any malicious actors found the trove before the research team did. After notifying Pegasus Airlines on March 1, SafetyDetectives noted that the leak was remediated around three weeks later.