View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 1, 2022updated 17 Aug 2022 9:21am

Pegasus Airline breach sees 6.5TB of data left in unsecured AWS bucket

An unsecured cloud data store has left vital information from the airline's software exposed online.

By Claudia Glover

A vulnerability in software developed by Turkish airline Pegasus has left 6.5 terabytes of data exposed online. The data breach, which comprises 23 million files including personal information of flight crew, is thought to have originated from a misconfigured ‘bucket’ on Amazon’s cloud service AWS.

A jet for Pegasus Airlines, who suffered a large data breach
Pegasus Airlines has had 6.5tb of data exposed online. (Photo: YASIN AKGUL/AFP via Getty Images)

The data, spotted by security vendor Safety Detectives, stems from the company’s EFB software, which is used for aircraft navigation, takeoff and landing and refueling, as well as other safety procedures, and various in-flight processes.

Pegasus has sold this software to two other airlines, Turkish IZ Air and Kyrgystani Air Manas, both of whom could be affected by the breach, Safety Detectives says.

How did the Pegasus Airline data breach happen?

A bucket is used by AWS customers to store related data and objects. The Pegasus EFB bucket’s security settings were misconfigured, meaning it was left open and could be easily accessed by anyone.

The breach was discovered by Safety Detectives as part of a large scale web mapping project, in which its researchers used web scanners to find unsecured data stores. Upon finding the bucket the company contacted the airline, who promptly optimised the bucket’s security.

According to Safety Detectives, available information included flight charts and navigation materials, as well the personal information of crew. The bucket also featured nearly 400 files with plain text passwords and secret keys, as well as source code for the software.

“These files were left accessible and could allow anyone to delete, modify or upload data to additional encrypted databases, files and folders on the bucket,” the security company said.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

The perils of insecure AWS buckets

Pegasus is not the first organisation to have data exposed by an inadequately protected AWS bucket. In August 2020, security researcher Bob Diachenko discovered 3.1m patient records, thought to stem from a medical technology company, Adit, exposed online in an unsecured AWS bucket.

In 2017 an unprotected AWS cloud bucket exposed 100GB of confidential data belonging to the US Intelligence and Security Command, an intelligence organisation operating within both the US Army and the NSA.

Tech Monitor has approached Pegasus Airlines for comment.

Read more: Personal data breaches are falling, except in Russia

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.