Data breach at Australian Airport Identity Security system

Share this…

Security company says its website has been operated by an unauthorized party

An Australian company issuing identity cards to access airports has been notifying cardholders that their personal information may have been compromised, as reported by experts in secure data destruction from the International Institute of Cyber Security.

Aviation ID Australia is one of many providers of aviation security identity cards. The company, established 2005, provides services to rural and regional airports. The cards are mandatory for airport personnel, including pilots and air cargo agents, who require unescorted access to airport sensitive areas. Directors of the company comment to the media that the security breach occurred after a section of its website was intervened.

The company has not determined the scope of the attack; although according to experts in secure data destruction believe that it probably extends to names, addresses, birth certificates, driver license numbers, and social security numbers.

According to reports from specialists in secure data destruction, the Australian Federal Police is already investigating the event, although it is still unclear whether Aviation ID Australia was responsible for giving notice to the authorities. In February, an amendment to the law enforced organizations with more than $3M annual invoicing report serious breaches within 30 days after the event.

Aviation Security Identity Card (ASIC)

About 45 airports and companies are authorized to issue this type of ID. The cards are intended to show that a person has completed a valid background check, according to the Australian Department of Internal Affairs.

The airport cards, as well as their equivalent in the Navy “are important to assure the sectors of aviation, maritime, gas and oil, against possible terrorist acts”, according to the Department of Infrastructure and Regional development. The cards should be renewed every two years.

Some sectors allow people to apply for ASIC online, including Aviation ID Australia. Others offer forms that must be presented in person.

An infamous website

The Aviation ID Australia website, however, seems old and outdated, according to information security and secure data destruction specialists’ assessments. Experts say that this is not necessarily an indication of low security, but there are other features that suggest that the server might allow someone to intercept unencrypted data traffic.

Post-it password

Anyone who requests an ASIC accreditation could do the process completely by mail. But the changes made since last August now require applicants to present identity documents in person at some point in the process.

It was Tony Morris, an amateur pilot, responsible for revealing a severe carelessness in ASIC’s registration system. When he went to pick up his ASIC card, the staff who helped him left his workplace for a few moments. When the worker was out, the person in charge left his computer unlocked, with the ASIC system login password written on a note attached to the computer’s keyboard.