M&A and cybersecurity: A case study in aviation industry

- -

The aviation industry is more vulnerable to cyber threats than ever before. Even a technical glitch can trigger huge operational disruptions, as seen during the recent Microsoft Crowdstrike issue.

We recently examined the APT group threat on aviation sector. Analysis of this situation also revealed more insights into many more risks specific to the aviation industry.

Linked deeply with the travel and tourism industry, the aviation sector is susceptible to cybersecurity risks that come with mergers and acquisitions (M&A). As companies operating in the aviation sector merge or acquire customer-facing operations in these associated sectors, they often face an increased probability of cybersecurity incidents due to complex integrations and new vulnerabilities.

Understanding the correlation: Aviation M&A and cybersecurity

When airlines and aviation companies merge or acquire new businesses, their IT systems, data volumes, and operational structures grow more complex. With this complexity comes an expanded cyber-attack surface, making companies prime targets for hackers. Aviation cybersecurity professionals often find themselves addressing new challenges during these transitions, such as integrating legacy systems and managing the influx of sensitive data.

The aviation sector has experienced notable breaches during or after M&A processes. Curiously, many notable cybersecurity breaches in the aviation sector recently happened after some big-ticket M&A deals. 

Take a look at the following cases:

Case Study 1: British Airways and Iberia

When British Airways and Iberia merged to form the International Airlines Group (IAG) in 2011, no immediate cybersecurity issues emerged. However, seven years later, in 2018, British Airways suffered a major data breach, compromising the personal and financial data of over 429,000 customers. A malicious script inserted into their website exposed serious vulnerabilities that had gone unnoticed.

Case Study 2: Cathay Pacific and Dragonair

Cathay Pacific’s acquisition of Dragonair in 2006 may have appeared smooth on the surface, but in 2018, a breach affecting 9.4 million passengers revealed deeper cybersecurity issues. The breach exposed sensitive passenger data, including passport information.

Case Study 3: SITA and various airline partners

The aviation IT giant SITA, which partners with numerous airlines globally, experienced a breach in 2021 affecting several major airlines like United, Singapore Airlines, and Air New Zealand. The breach was linked to the integration of multiple IT systems, revealing how third-party risks can proliferate when integrating new partners during M&A activities.

Third-party vendors add new access points that, if not properly secured, become easy targets for cybercriminals. As aviation companies merge or acquire new partners, the importance of securing the supply chain becomes critical.

Why cybersecurity incidents rise post-M&A

Based on these cases and others in the aviation industry, several factors can explain why cybersecurity incidents tend to rise post-merger:

Complex IT system integration: Merging different IT infrastructures is complex and may expose vulnerabilities. Older systems may not be compatible with newer technologies, leading to security gaps. Without consistent cybersecurity protocols, these systems are left open to attack. Hackers often exploit unmonitored access points during the integration phase.

Increased data volume and attack surface: With M&As, the volume of sensitive data, including passenger records, financial data, and intellectual property, increases significantly. This expanded data set makes the organization a more attractive target for cybercriminals. 

Organizational complexity and communication breakdowns: Post-M&A, organizations face increased complexity, leading to communication breakdowns between different teams and departments. A lack of a clear cybersecurity strategy or unified response plan can create serious security gaps.

Transitional vulnerabilities: During the transitional phase, companies often prioritize financial and business integration over cybersecurity. Resource allocation to IT security may drop, increasing the company’s exposure to threats.

Aviation M&A: A cybersecurity checklist

To avoid these pitfalls, aviation companies undergoing M&A processes need to prioritize cybersecurity throughout the entire process. Hadrian proposes the following steps to help mitigate the risks:

Conduct thorough cybersecurity audits: Before any M&A activity, companies should conduct full audits of IT systems and security protocols.

Integrate cybersecurity into due diligence: During the M&A process, cybersecurity must be a priority, with IT security experts involved at every stage.

Standardize security protocols: Ensure that both companies in the M&A adhere to consistent security measures, integrating best practices for data protection and threat detection.

Monitor for long-term risks: Even after integration, companies must monitor for new vulnerabilities. Post-M&A cybersecurity reviews should be conducted regularly to address any long-term challenges.

Whether it’s the integration of complex IT systems, an increase in data volume, or transitional vulnerabilities, the post-M&A period can leave companies exposed to cyber threats. The damage is particularly high in the aviation sector because of the wide customer impact and geopolitical importance.

If you're in the aviation sector and considering an M&A deal, don’t overlook the critical role of cybersecurity. Ensure that you have a robust strategy in place to safeguard your business from cyber threats. Access Hadrian’s comprehensive whitepaper on how APT groups exploit the attack surface to target the aviation sector here. 

{{related-article}}

Stop Focusing on the Noise: Prioritize the Risks That Truly Matter

{{quote-1}}

,

{{quote-2}}

,

Related articles.

All resources

Threat Trends

The Risk of Misconfigured Access Control Policies in Cloud Configuration

The Risk of Misconfigured Access Control Policies in Cloud Configuration

Threat Trends

cURL and libcurl CVEs Unwrapped: Debunking the Hype

cURL and libcurl CVEs Unwrapped: Debunking the Hype

Threat Trends

IDOR Explained: Everything you need to know

IDOR Explained: Everything you need to know

Start your journey today

Experience faster, simpler, and easier automated penetration testing in a quick 20-minute demo.

Book a demo