Within the categories of identity, contact and location of personal data affected by the breach; The name, surname, phone number, e-mail address, title, flight information of the pilot and cabin crew members, their flight locations, and photographs and signature images of some of these employees were captured.
There has been unauthorized access to the systems due to the browser listing feature of the service, which was established for the purpose of making the flight planning and ensuring the necessary coordination of the flight crews employed by the data controller.
The browser listening feature, which was found to be open on 21.03.2022 and was found to be open, was turned off on 24.03.2022, and the vulnerability was resolved,
The violation was later detected on the information security intelligence services monitoring tools on 31.05.2022, and in addition, self-introducing texts were published on social media accounts and some websites by unauthorized access,
It is stated that upon the sharing of third parties who provide unauthorized access, they are contacted and requested to destroy the accessed personal data.
Conclusion:
Airline companies carry out many data processing activities as data controllers. For this reason, it is necessary to take the necessary administrative and technical measures at the beginning in order to avoid data breach, and to measure the security weakness, it is necessary to regularly collect pentests and evidence from all endpoints as if there was an event before it happened. Encryption and authorization controls, establishment of attack and detection prevention systems will take institutions and organizations one step ahead in all possible situations.
Bildirimin tamamına ulaşabilmek için; https://www.kvkk.gov.tr/Icerik/7342/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Pegasus-Hava-Tasimaciligi-Anonim-Sirketi
