View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 1, 2022updated 07 Jun 2022 8:19am

Pegasus Airline breach sees 6.5TB of data left in unsecured AWS bucket

An unsecured cloud data store has left vital information from the airline's software exposed online.

By Claudia Glover

A vulnerability in software developed by Turkish airline Pegasus has left 6.5 terabytes of data exposed online. The data breach, which comprises 23 million files including personal information of flight crew, is thought to have originated from a misconfigured ‘bucket’ on Amazon’s cloud service AWS.

A jet for Pegasus Airlines, who suffered a large data breach
Pegasus Airlines has had 6.5tb of data exposed online. (Photo: YASIN AKGUL/AFP via Getty Images)

The data, spotted by security vendor Safety Detectives, stems from the company’s EFB software, which is used for aircraft navigation, takeoff and landing and refueling, as well as other safety procedures, and various in-flight processes.

Pegasus has sold this software to two other airlines, Turkish IZ Air and Kyrgystani Air Manas, both of whom could be affected by the breach, Safety Detectives says.

How did the Pegasus Airline data breach happen?

A bucket is used by AWS customers to store related data and objects. The Pegasus EFB bucket’s security settings were misconfigured, meaning it was left open and could be easily accessed by anyone.

The breach was discovered by Safety Detectives as part of a large scale web mapping project, in which its researchers used web scanners to find unsecured data stores. Upon finding the bucket the company contacted the airline, who promptly optimised the bucket’s security.

According to Safety Detectives, available information included flight charts and navigation materials, as well the personal information of crew. The bucket also featured nearly 400 files with plain text passwords and secret keys, as well as source code for the software.

“These files were left accessible and could allow anyone to delete, modify or upload data to additional encrypted databases, files and folders on the bucket,” the security company said.

The perils of insecure AWS buckets

Pegasus is not the first organisation to have data exposed by an inadequately protected AWS bucket. In August 2020, security researcher Bob Diachenko discovered 3.1m patient records, thought to stem from a medical technology company, Adit, exposed online in an unsecured AWS bucket.

Content from our partners
Why enterprises of all sizes must  embrace smart manufacturing solutions
European Technology Leadership: Deutsche Bank CTO Gordon Mackechnie
Print’s role in driving the environmental agenda

In 2017 an unprotected AWS cloud bucket exposed 100GB of confidential data belonging to the US Intelligence and Security Command, an intelligence organisation operating within both the US Army and the NSA.

Tech Monitor has approached Pegasus Airlines for comment.

Read more: Personal data breaches are falling, except in Russia

Topics in this article: ,
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy