Cyber threats in the aviation industry

The aviation industry has seen a surge in ransomware attacks in recent years and cyber incidents are a serious threat to business continuity, as was seen during the recent CrowdStrike outage in July 2024 which although not caused by bad actors, brought chaos to many airlines as well as other industries.

Data shows that cyber-attacks rose by 131% between 2022 and 2023 across the aviation industry¹, with the highest proportion of attacks focussed on airspace users. The financial and reputational implications for the aviation industry of failures in cyber security are enormous.

Cyber incidents impacting the aviation industry can:

• Be high profile, attracting significant media attention;
• Involve multiple jurisdictions, as the nature of the aviation industry, more so than many others, means that a cyber-attack can impact customers and suppliers throughout the world;
• Result in large fines from regulators;
• Lead to litigious claims brought by those impacted, which can be costly even if they don’t make it to court.

In July 2024 Eurocontrol² published its 2024 Cyber Security Report³ offering an in-depth analysis of the evolving cyber threat landscape in aviation. The report collected data from a broad range of global organisations worldwide, including airspace users, airport operators and civil aviation authorities, and found a notable surge in both the quantity and diversity of reported cyber events over the past year.

The Report confirmed that the primary impact of cyber attacks on aviation remains financial, with an estimated global impact in the billions of Euros annually. The main methods of conducting cyber attacks on the aviation industry are fraudulent websites, phishing, DDoS (Distributed Denial of Service, where an attacker floods a server with internet traffic to prevent users from accessing connected online services), malware, hacking and ransomware.

Add to that other factors, such as data theft and airmiles fraud, and you have a “perfect storm” for the industry.

IATA⁴ has called for more collaboration within the Civil Aviation Industry and enhanced transparency on shared risks, with regard to aviation cybersecurity. It is developing a set of requirements for operators and in the EU a framework for risk management in aviation is set to take effect in 2026.

Lessons from CrowdStrike incident

On 19 July 2024, a CrowdStrike update caused a global IT outage, highlighting the potential vulnerabilities we all face from the fallout of technology failures or a cyber event, particularly where those risks do not arise from within the organisation but as a result of dependencies on others. The supply chain risk arising from third party IT security failures which have a cascading effect on the aviation industry can be particularly severe. We have seen this as a result of the CrowdStrike event which caused delays and resulting business interruption losses due to the disruption arising.

Following the outage, Delta Airlines announced that the incident and subsequent interruption to business, such as flight cancellations, led to losses of around US$550 million. Its September 2024 financial results noted that the direct revenue impact of the incident was approximately US$380 million, primarily driven by refunding customers for cancelled flights and providing customer compensation in the form of cash and SkyMiles. The non-fuel expense impact was US$170 million, primarily due to customer expense reimbursements and crew-related costs.

Delta has since faced a class action lawsuit in the US courts, with court documents stating that the outage “resulted in massive delays throughout the global airline industry. According to flight tracking…there were more than 4,000 flight cancellations and 35,500 flight delays worldwide by Friday afternoon”, with the outage taking place on the morning of Friday 19th July 2024. Delta instigated a legal action against CrowdStrike in October 2024 to cover a reported $500 million of out of pocket losses arising from the disruption together with undisclosed litigation costs and punitive damages.

In this context, it will be key for airlines to put robust procedures in place to minimise business interruption, including ensuring the right people are involved and that everyone knows the processes and procedures that are in place. Internal policies must consider the impact of business interruption, and the potential level of severity. It is also important to validate any workarounds in place in the event of a business interruption, so any contingency plans work.

The CrowdStrike outage also highlighted the impact of supply chain risk in the aviation industry and how a cyber incident within an airline’s supply chain can have as much impact as a cyber incident within its own business. Supply chain attacks are on the rise. Research has found that 98% of organisations have vendor relationships with at least one third party that has experienced a cyber event in the last two years⁵. It is therefore important to consider the supply chain when preparing cyber security policies and procedures.

Guidance to mitigate cyber threats

A cyber event is an all-encompassing risk, which can impact all areas of the business not only legal but also including IT, Directors &Officers liability, PR and marketing, HR, and more. Key points to be aware of are as follows:

1. Interruption to business cannot be underestimated, and this can result in a loss of revenue whilst systems are down as well as the cost of restoring systems to normal (or improved) order.
2. There is potential for very costly regulatory exposure. Not only concerning a fine received from the appropriate national regulator, but the time and cost involved in cooperating with an investigation.
3. Remember to always check reporting responsibilities and comply within time. GDPR regulators can and will fine impose fines for failure to report.
4. There is always the possibility of litigation following a data breach, with claimants seeking damages following loss associated with the breach. Class actions are an increasingly popular method of claim in the US, with reports showing that 2,040 data breach class actions were filed in 2023 (nearly three times the number in 2022). In the EU, a number of decisions from the Court of Justice of the European Union have clarified issues regarding damage claims for data breach, but have also potentially opened the door to an increase in claims. The introduction of the EU Collective Redress Directive established a class action regime in the EU, requiring member states to have procedures in place to provide access to collective redress, including for data breach claims. In the UK, two high profile data breach class actions have failed, in the cases of Lloyd v Google and Prismall v Google (the latter currently under appeal). However, claimant law firms are still searching for claimants to join data breach class actions, and we are seeing an evolution of data breach claims in the UK, with the Competition Appeal Tribunal allowing a claim on behalf of approximately 45 million UK Facebook users to proceed to trial. For more information on this, see our insights here and here.
5. There can be severe reputational risk following the fall out of a cyber event, potentially leading to loss of customers.
6. Directors and officers can be at risk, for example, in California former directors and officers of Yahoo agreed to pay $29 million to settle a breach of fiduciary duty claim arising from a data breach occurring between 2013 and 2016. Clyde & Co’s Global Directors and Officers Report 2024⁶ listed cyber risk as the second highest risk perceived by Directors and Officers.
7. A Cyber event requires consideration of both internal and external communications. It is not just an IT problem, meaning it is not enough just to consider the technical aspects, either in preparing to prevent a breach or in dealing with a breach. Most aspects of a business should therefore be involved, or aware of the issues, for example in working to prevent attacks and being aware of reporting requirements.
8. Business continuity planning, policy and procedure should all be reviewed and updated to incorporate data and cyber security plans. Whilst every cyber event may be different, the impact of these events can be mitigated with proper planning, and to this end having an effective Incident Response Plan in place (and sharing it across the business) can be invaluable. It is also worth noting that many data regulators expect organisations to have well-defined and tested incident management processes in place.
9. It will not be sufficient to say you were simply a victim of a cyber-attack, as can be seen in the reasoning given by the ICO when British Airways was issued with a fine in 2018 . It is necessary to show that you have done all that is required of you to prevent an attack and to protect data.
10. Be aware of legacy systems, as these may be more vulnerable to attack, or they may be out of compliance with current data protection legislation. In 2018 British Airways sought to argue that Article 25 GDPR⁷ did not apply to the data breach because it was not in force at the time BA designed the relevant data processing systems. The ICO did not agree with this and held that Article 25 applies at “the time of processing itself” and is a continuing obligation.
11. Consider your supply chain – the Eurocontrol report noted that “it is increasingly evident that aviation’s reliance on the cyber-resilience of its supply chain is crucial”. It is crucial to require the same levels of cyber security of your supply chain, as you do within your own organisation.
12. Be prepared to undertake testing – the ICO said in the British Airways data breach that “had more rigorous testing been performed, or had internal penetration tests been performed (where an attacker with access to the network was simulated), many of the problems identified within this decision are likely to have been detected and appropriately addressed”.

The Clyde & Co cyber team and global One network is a global, locally tailored, cyber risk solution. We can help you manage every aspect of cyber risk, through readiness, to response and recovery. We have one of the largest dedicated cyber teams across our network of offices and offer a “follow-the-sun” model, with our teams in different regions available to assist around the clock. Operating through a single global practice group, Clyde & Co is widely acknowledged to be the world’s premier aviation law firm.

If you have any queries or would like specific advice please contact our Cyber and Aviation teams.

1 eatm-cert_2024_report_on_cyber_in_aviation.pdf (eraa.org)

2 Eurocontrol is an intergovernmental organisation with 41 member and 2 comprehensive agreement states, dedicated to supporting European aviation

3 eatm-cert_2024_report_on_cyber_in_aviation.pdf (eraa.org)

4 acysec-industryposition-2023.pdf (iata.org)

5 Research-Close-Encounters-Of-The-Third-And-Fourth-Party-Kind.pdf (securityscorecard.com)

6 Global Directors’ and Officers’ Liability Report 2024 : Clyde & Co

7 Article 25 GDPR requires a Data controller to implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed and this means data protection should be embedded as a part of the lifecycle of an organisation’s processing and business activities.