A Pegasus airplane prepare to landing as flying over the wreckage of the Pegasus Airlines Boeing 737 airplane in Istanbul, on February 9, 2020, four days after it skidded off the runway upon landing at the Sabiha Gokcen airport. – Turkey will investigate two pilots for possible negligence after their plane skidded off an Istanbul runway killing three passengers, state media reported on February 7. A total of 174 passengers and six crew were injured after the Boeing 737, operated by Turkish low-cost carrier Pegasus Airlines, flew into Sabiha Gokcen airport from the western city of Izmir late on February 5. Istanbul’s prosecutor will probe the pilots on suspicion of causing death and injury through negligence, the TRT broadcaster reported. (Photo by Yasin AKGUL / AFP) (Photo by YASIN AKGUL/AFP via Getty Images)

A vulnerability in software developed by Turkish airline Pegasus has left 6.5 terabytes of data exposed online. The data breach, which comprises 23 million files including personal information of flight crew, is thought to have originated from a misconfigured ‘bucket’ on Amazon’s cloud service AWS.

A jet for Pegasus Airlines, who suffered a large data breach
Pegasus Airlines has had 6.5tb of data exposed online. (Photo: YASIN AKGUL/AFP via Getty Images)

The data, spotted by security vendor Safety Detectives, stems from the company’s EFB software, which is used for aircraft navigation, takeoff and landing and refueling, as well as other safety procedures, and various in-flight processes.

Pegasus has sold this software to two other airlines, Turkish IZ Air and Kyrgystani Air Manas, both of whom could be affected by the breach, Safety Detectives says.

How did the Pegasus Airline data breach happen?

A bucket is used by AWS customers to store related data and objects. The Pegasus EFB bucket’s security settings were misconfigured, meaning it was left open and could be easily accessed by anyone.

The breach was discovered by Safety Detectives as part of a large scale web mapping project, in which its researchers used web scanners to find unsecured data stores. Upon finding the bucket the company contacted the airline, who promptly optimised the bucket’s security.

According to Safety Detectives, available information included flight charts and navigation materials, as well the personal information of crew. The bucket also featured nearly 400 files with plain text passwords and secret keys, as well as source code for the software.

“These files were left accessible and could allow anyone to delete, modify or upload data to additional encrypted databases, files and folders on the bucket,” the security company said.

The perils of insecure AWS buckets

Pegasus is not the first organisation to have data exposed by an inadequately protected AWS bucket. In August 2020, security researcher Bob Diachenko discovered 3.1m patient records, thought to stem from a medical technology company, Adit, exposed online in an unsecured AWS bucket.

In 2017 an unprotected AWS cloud bucket exposed 100GB of confidential data belonging to the US Intelligence and Security Command, an intelligence organisation operating within both the US Army and the NSA.

Tech Monitor has approached Pegasus Airlines for comment.

Read more: Personal data breaches are falling, except in Russia