A vulnerability in software developed by Turkish airline Pegasus has left 6.5 terabytes of data exposed online. The data breach, which comprises 23 million files including personal information of flight crew, is thought to have originated from a misconfigured ‘bucket’ on Amazon’s cloud service AWS.
The data, spotted by security vendor Safety Detectives, stems from the company’s EFB software, which is used for aircraft navigation, takeoff and landing and refueling, as well as other safety procedures, and various in-flight processes.
Pegasus has sold this software to two other airlines, Turkish IZ Air and Kyrgystani Air Manas, both of whom could be affected by the breach, Safety Detectives says.
How did the Pegasus Airline data breach happen?
A bucket is used by AWS customers to store related data and objects. The Pegasus EFB bucket’s security settings were misconfigured, meaning it was left open and could be easily accessed by anyone.
The breach was discovered by Safety Detectives as part of a large scale web mapping project, in which its researchers used web scanners to find unsecured data stores. Upon finding the bucket the company contacted the airline, who promptly optimised the bucket’s security.
According to Safety Detectives, available information included flight charts and navigation materials, as well the personal information of crew. The bucket also featured nearly 400 files with plain text passwords and secret keys, as well as source code for the software.
“These files were left accessible and could allow anyone to delete, modify or upload data to additional encrypted databases, files and folders on the bucket,” the security company said.
The perils of insecure AWS buckets
Pegasus is not the first organisation to have data exposed by an inadequately protected AWS bucket. In August 2020, security researcher Bob Diachenko discovered 3.1m patient records, thought to stem from a medical technology company, Adit, exposed online in an unsecured AWS bucket.
In 2017 an unprotected AWS cloud bucket exposed 100GB of confidential data belonging to the US Intelligence and Security Command, an intelligence organisation operating within both the US Army and the NSA.
Tech Monitor has approached Pegasus Airlines for comment.