Turkish-based airline, Pegasus Airlines, has had sensitive Electronic Flight Bag (EFB) information leased according to a cyber security team at SafetyDetectives.
SafetyDetectives said in published findings on 30 May that an ASW S3 bucket containing the airline’s EFB information was left without password protection, leaking a range of sensitive flight data.
The S3 bucket’s information was linked to an EFB software developed by PegasusEFB that pilots use for aircraft navigation, takeoff/landing, refueling, safety procedures, and various other in-flight processes, according to SafetyDetectives.
A total of 6.2 TB of data was exposed, equating to almost 23 million files found on the S3 Bucket.
“This exposure could impact the safety of every Pegasus passenger and crew member around the world. Affiliated airlines that are using PegasusEFB could also be affected,” SafetyDetectives explained.
Data that was exposed included sensitive flight data, crew Personally identifiable information (PII) and source code from the EFB software.
Over 3.2 million files contained sensitive flight data. Spreadsheets (around 2.9 million files) and acceptance forms (over 290,000 files) were the two most-prevalent datasets containing this information.
Timeline
The open bucket was discovered by the cyber security team on 28 February 2022 as part of a large-scale web-mapping project.
The team subsequently contacted the airline on 1 March 2022 regarding the open S3 bucket.
On 20 March the team sent a follow-up message to Pegasus and reached out to PegasusEFB. Finally, on 24 March the SafetyDetective team responsibly disclosed the data exposure to Pegasus EFB after making contact with the company.
“The AWS S3 bucket was promptly secured and PegasusEFB later replied, thanking us for the notification,” SafetyDetectives said.
S3 bucket security
Amazon S3 works an object storage service that stores data as objects within buckets.
Amazon describes a bucket as a container for objects stored in Amazon S3. Any number of objects can be stored in a bucket and there can be up to 100 buckets in a user account.
Amazon offers advice on how to secure an S3 bucket, including best practices including restricting access to S3 resources, monitoring of S3 resources and using encryption to protect data.
SafetyDetectives pointed out, “Amazon is not responsible for the misconfiguration of PegasusEFB’s bucket.”