Turkish Flight Operator Pegasus Airlines Suffers Data Breach

Pegasus Airlines, the Turkish version of Pegasus Airlines, has reportedly suffered a breach of sensitive information after one of its AWS cloud storage buckets was left unsecured. 

The Electronic Flight Bag (EFB) information of an unknown number of customers was reportedly stored in the Turkish flight operator Pegasus Airlines suffers data breach, and customer data was reportedly exposed as a result.

The Turkish Data Protection Agency has so far confirmed that a company’s data leak has been confirmed after it received a data breach notification.

In case, you are confused about data leak vs data breach as they look very similar, so you can read it and clear your doubt.

Unauthorized Access

The Turkish Personal Data Protection Authority (Kisel Verileri Koruma Kurumu) confirmed that it was that Turkish Telecom Pegasus had unauthorized access to certain information held on Turkish servers. 

A vulnerability that allowed unauthorized access was located by regulators on March 21, and afterward fixed on March 24.

According to the relevant health authorities, confidential information includes the names, surnames, telephone numbers, e-mail addresses, titles, flight information, flight locations, photographs, and signature images of some employees on Turkish flight operator Pegasus Airlines suffers data breach.

Leaky bucket

According to Safety Detectives, which discovered the Turkish flight operator Pegasus Airlines suffers data breach, almost 23 million files were discovered on the bucket, totaling approximately 6.5 TB of data. 

A blog post explains that the files were linked to an EFB software developed by PegasusEFB that pilots use for aircraft navigation, takeoff and landing, refueling, safety procedures, and various other in-flight processes.

Pegasus Cessna Funding Company’s open bucket left included flight charts, navigation materials, and personally identifiable information (PII) accessible to anyone. 

The bucket also exposed EFB Software’s source code, which contained plain-text passwords and secret keys that someone could use to tamper with extra-sensitive files.

Potential Dangers

Pegasus Airline Airbus crew members’ safety has been compromised as a result of the system breach. Researchers discovered that spy groups with knowledge of behavior patterns could coerce the staff into revealing flight details and security vulnerabilities of the airlines and airports. Organized criminals can penalize workers who reveal vulnerabilities, and decanting malicious actors can uncover flaws in security protections.

Cybercriminals can alter sensitive flight data and extra-sensitive files by copying passwords and secret keys from the PegasusEFB bucket. Nonetheless, security experts remained uncertain about the likelihood that pilots would use this bucket s files for future flights, so there could be an issue with any crew members from reaching air companies and their own particular flights.

SafetyDetectives reported that there was no indication back then that threat actor detected the trove before they did. Pegasus Airlines was notified in March 2022, and the Turkish flight operator Pegasus Airlines suffers data breach leak that was then remediated two weeks later.