San Francisco International Airport Warns About Potential Login Credential Leaks

The COVID-19 pandemic has hit a wide range of industries, but it's fair to say that few business sectors have suffered as much as air travel. The number of passengers has understandably plummeted, and airlines and airports have to deal with unexpected problems like finding parking spots for all the grounded airplanes. Everyone in the sector is anxiously awaiting the end of the crisis and is thinking of how they are going to get everything back to normal once it's all over. At the San Francisco International Airport (SFO), however, they have yet another problem on their minds.

San Francisco International airport has suffered a cyberattack

On April 7, without much fanfare, SFO published a data breach notice, which said that the airport had been targeted by a cyberattack. According to it, in March, attackers compromised a couple of SFO's websites, SFOConnect.com and SFOConstruction.com, and injected some malicious code in them.

On the face of it, the malware is rather dangerous. According to the notification, it allowed hackers to steal not only data users entered on the compromised websites but also login credentials that unlock the victims' personal devices.

The conclusions we can draw from the incident

It must be said that the notice is rather short, and it's not exactly brimming with details. It doesn't say, for example, how many people could have been affected. It's also unclear when the code was injected and when it was discovered. What we do know is that the problem was rectified on March 23 when SFO removed the code and reset some internal passwords.

Bitdefender covered the story and tried to fill in some of the gaps. According to the security company, one of the websites, SFOConstruction.com, is related to an SFO construction project that is currently underway. Due to the attack, the website was pulled down, and as of the time of writing, it's still under maintenance. The other target, SFOConnect.com, is an employee gateway that provides news and other resources to people working at the airport. In other words, the number of potential victims is not that huge, and it's limited further by the only piece of technical information that we can find in the data breach notice.

According to it, users could have been affected only if they've accessed the compromised websites from outside SFO's network on Windows computers via Internet Explorer. Once again, there are absolutely no further details, but we can deduct from this statement that the injected code exploited a vulnerability in Microsoft's old and infamously insecure web browser.

All in all, this wasn't the most significant attack in the world. SFO's main website remained unscathed, and according to StatCounter, as of March 2020, Internet Explorer's market share sits at less than 4%, which goes to show that most users were safe. The attack shouldn't be underestimated, though.

According to Bitdefender, it's not unreasonable to assume that the hackers broke in after phishing an SFO employee's login credentials. The airport's IT experts need to think about what they can do to stop this from happening again. If it does happen, they need to make sure that the account they give provides the general public a clearer picture of what went wrong and why.