Protect and secure your data from cyber attacks
Data Protection
Data Security
Data Insights
The 5 Steps to Cyber Resilience
Cloud & SaaS
Enterprise
Industries
A ransomware attack struck a third-party system that handles check-in and boarding systems.
Dozens of flights and thousands of passengers were impacted by a cyberattack that disrupted check-in and boarding systems at major European airports this past weekend. Monday, the European Union Agency for Cybersecurity said it was a ransomware attack.
As a cybersecurity incident responder, I know how disruptive cyberattacks can impact people and businesses. This past weekend, my professional and personal lives collided. I was one of those thousands of passengers in Brussels trying to navigate the chaotic travel.
Here is a first-hand account of what it was like at the airport this past weekend.
My wife and I were celebrating our 10th wedding anniversary in Brussels this past weekend. We flew over from London Heathrow on Friday evening. This was just a day before the reported cyberattack on Collins Aerospace, a major provider of check-in and baggage handling software used in several major European hub airports, including London Heathrow, Frankfurt, and Brussels.
I was only vaguely aware of the attack. As an attentive husband, I was trying to stay off my smartphone as much as possible during our anniversary weekend. However, an email to my wife from British Airways on Saturday evening, warned us of potential delays at the airport the next day.
We checked in electronically as suggested and received our boarding passes on our phones. We decided to put this to the back of our minds and not let it encroach too much on our weekend celebrations.
During the day, we heard that roughly half of the flights from Brussels had been cancelled. Stress started to rise slowly, but a quick check showed that our 20:35 flight was still on schedule. Just in case, we cut our trip short and decided to head to the airport early.
The first indication that something was wrong was the queues at the airline check-in and information desks in departures. There were clearly people who had turned up for autumn getaways, only to find their plans dashed by cybercriminals. Airline and ground services staff were frantically trying to provide information on what had happened and what to do next, but the frustration of the crowds forming large queues was palpable.
The second indication was that the electronic gates for Fast Track security, which we normally use, were closed. These gates require the scanning of boarding passes to ensure that you’ve either paid the Fast Track fee to the airport, have an appropriate level of frequent flyer status with an eligible airline, or you’re flying First or Business Class. This channeled all passengers into a smaller number of luggage and people scanners.
We were able to check into the lounge without any issues, as the ticket type and frequent flyer status are shown on the electronic boarding pass. I thought it made sense to head to the gate much earlier than I normally would for such a small flight, and that’s when the largest sign that things were not quite right became visible. A queue of every single passenger on the flight, whether they held a paper or electronic boarding pass, had now formed across the boarding gate pier and down the corridor. We were on an Airbus 321neo, but much longer queues could be seen up and down the terminal for larger aircraft.
Image 1: Queues for replacement boarding passes.
Without instruction on what to do, we joined the queue until we reached the front and asked the very stressed but polite Aviapartner ground service staff what we needed to do. They asked for our passports and existing boarding passes, then proceeded to handwrite a replacement and document our details by pen and paper so they could construct a manifest of who should be on the flight.
Image 2: My handwritten replacement boarding pass.
I looked at my boarding pass and noticed that I was in 1D, whereas my wife's boarding pass clearly said 2F. “Great,” I thought, “we’re not sitting together on our anniversary.” But I wasn’t going to make a fuss. The staff were clearly dealing with a very challenging situation, and I was just trying to get us home in light of all the flight cancellations.
My wife pointed out that the 1D was probably 2D; it’s just that the poor ground service agent at the gate had already written dozens of these, so expediency, not eligibility, was their major concern.
After a delay of three-quarters of an hour, it was finally time to board. When we made our way to our seats, it took nearly another 45 minutes to fill the plane due to the laborious process of handwriting each boarding card and recording passenger details by hand onto a makeshift boarding manifest. Once the manifest was handed to the crew, there were multiple headcounts and analysis of some of the entries. Finally, we took off, considerably delayed but happy to be heading home.
According to RTX, the owner of Collins Aerospace hit by the incident: “The impact is limited to electronic customer check-in and baggage drop and can be mitigated with manual check-in operations.” I saw something many people don’t see when they read such a line in the media. I saw elderly couples and young families having their flights cancelled and their dreams delayed. I saw businesspeople struggling to get to London ready for meetings early the next morning. I saw ground staff performing heroics while angry passengers took their frustrations about a third-party supplier’s IT systems out on them.
This is the true cost of ransomware, which I’ve seen firsthand:
As an incident responder, I’ve seen whole swathes of IT and Security Operations staff want to quit during an incident. This is because they’re expected to perform heroics under duress, despite the fact that a disruptive incident such as this should be a standard part of their risk assessments. A stronger cyber resilience posture may have meant they could have handled the situation more like business-as-usual.
Contingencies like the handwritten boarding passes are the ultimate fallback mechanism, and I believe all organisations, no matter how good their cyber resiliency is, should always have this in place as a final safety net. However, they just don’t scale to the same level of throughput and accuracy afforded by the IT systems they’re replacing. This is evident in the fact that half of all the flights from impacted airports were cancelled on Sunday. I was lucky enough to be on one that wasn’t.
At the efficiency of operations and the scale that organisations need to operate in the 21st century, manual processes shouldn’t be the fallback. Organisations need to have established their tolerances for operational downtime and built the appropriate levels of resiliency to be able to recover, investigate, and clean their workloads prior to recovery, or have the ability to rapidly rebuild them to a trusted state to restore systems to deliver their services at the scale and efficiency that customers demand.
At the end of the day British Airways got us home, albeit with significant delays, but others had their flights cancelled and plans ruined while ground staff had frustrated customers shouting in their faces while they were just trying to help. Heroics, burn out, and customer frustration aren’t replacements for planning and practice.
Written By
James Blake
Global Cyber Resiliency Strategist
