Kyanite Blue
Sector Guides

Airlines Cybersecurity: Reservation Systems, Crew Scheduling, and Inflight Connectivity Risks

The attack surface of a modern commercial airline is vast and unique. From global distribution system (GDS) integrations that expose booking data to thousands of travel agents, to Electronic Flight Bags used by crew on personal-style tablets, to inflight connectivity systems that bridge airborne aircraft to internet-connected services, to crew scheduling systems that manage the legally complex duty time compliance for thousands of cabin crew — airlines combine enterprise IT complexity with operational technology, safety-critical systems, and public-facing consumer applications at a scale few other organisations match. Understanding the airline cybersecurity risk landscape requires mapping each of these distinct environments and the specific threats each faces.

Airlines combine enterprise IT, safety-adjacent OT, public consumer apps, and inflight connectivity — one of the most complex cybersecurity attack surfaces of any sector.

Reservation Systems and Global Distribution: The Data Layer

Airline reservation systems are among the most complex and data-rich IT environments in commercial operations:

  • Passenger Service Systems (PSS): The core reservation platform — Amadeus Altea, Sabre, Navitaire — holding passenger booking data, payment information, frequent flyer records, and special service requests
  • GDS integrations: Travel agencies access airline inventory through GDS platforms — each integration point represents a potential data access or compromise vector
  • Direct booking channels: Airline.com, mobile apps, and API channels — all public-facing and subject to Magecart-style script injection (as demonstrated by the British Airways breach)
  • Loyalty programme systems: Frequent flyer accounts are a specific attack target — credentials allow booking access and miles theft, and the accounts hold identity and payment data
  • Departure Control Systems (DCS): Check-in, boarding, and load control systems — operational dependency with direct links to ground handling and airport systems

Crew Scheduling and Flight Operations Security

Crew management and flight operations systems are operationally critical and relatively under-secured in many airlines:

  • Crew Management Systems: Duty tracking, pairing optimisation, and regulatory compliance systems — a disrupted crew management system can ground flights by preventing compliant rostering
  • Flight planning and dispatch: Weight and balance, fuel planning, MEL compliance, and route optimisation systems used by operations control
  • ACARS communications: Aircraft Communications Addressing and Reporting System — plaintext by design, unauthenticated, and subject to spoofing and interception
  • Electronic Flight Bags: Pilot tablets running navigation, performance, and operational apps — mobile devices with mixed personal/professional use and variable MDM coverage
  • OCC security: Operations Control Centre systems that manage real-time flight tracking, crew coordination, and disruption management

Inflight Connectivity: The Airborne Attack Surface

Inflight connectivity creates a unique cybersecurity challenge — a bridge between airborne aircraft systems and internet-connected services:

  • Passenger Wi-Fi: Inflight internet access creates a potential pathway from passenger devices to aircraft network systems — isolation between passenger and aircraft systems must be absolute
  • Inflight entertainment (IFE): Increasingly networked IFE systems have been shown by security researchers to share network infrastructure with operational aircraft systems in some implementations
  • Satellite communications: The satellite link used for inflight connectivity, ACARS, and air-ground data communications is a potential interception and injection point
  • Aircraft to ground data: Operational data flowing between aircraft and airline OCC via satellite and VHF data links is largely unencrypted and unauthenticated
  • Avionics isolation: Aviation regulators require avionics systems to be isolated from inflight connectivity and passenger systems — but this isolation requires correct implementation and ongoing verification

Airline-Specific Threat Actors and TTPs

Airlines face a specific set of threat actors with documented techniques:

  • Financially motivated ransomware: SpiceJet (2022) demonstrated the operational impact of ransomware on airline operations — encrypted systems, grounded aircraft, stranded passengers
  • Passenger data theft: Magecart-style attacks targeting booking flows for payment card data (British Airways 2018)
  • Loyalty programme fraud: Credential stuffing attacks against frequent flyer accounts — compromised accounts are sold in criminal markets and used for miles theft
  • Business Email Compromise: Airline finance teams are targeted by BEC fraud — fake supplier payment requests and fraudulent wire transfer instructions
  • Nation-state reconnaissance: State-sponsored actors conduct persistent reconnaissance against airline IT systems — for intelligence collection, capability development, and pre-positioning for potential disruption operations

Frequently Asked Questions

How do airlines protect frequent flyer accounts from credential stuffing attacks?

Airline frequent flyer accounts are systematically targeted by credential stuffing — automated testing of username/password combinations leaked from other breaches. Effective protections include: MFA for account login (ideally app-based rather than SMS); rate limiting and CAPTCHA on login pages; anomalous login detection triggering additional verification; dark web monitoring for compromised loyalty credentials; and enabling customers to view and manage active sessions. Many airlines have been slow to deploy MFA on loyalty platforms despite the clear threat — it remains a significant gap.

What is the cybersecurity risk from inflight Wi-Fi to aircraft systems?

The aviation regulatory framework requires strict isolation between passenger inflight connectivity systems and aircraft avionics and control systems. When this isolation is correctly implemented, inflight Wi-Fi does not create a pathway to safety-critical aircraft systems. However, security researchers have demonstrated that this isolation has not always been perfectly implemented — some older IFE implementations shared network infrastructure with operational systems. EASA and FAA guidance requires airlines to conduct cybersecurity risk assessments of all new connected systems, and inflight connectivity systems are subject to specific approval requirements.

Are airline loyalty programmes covered by the same cybersecurity regulations as core airline operations?

Loyalty programmes are typically separate legal entities or business units — in some cases operated by third parties. From a cybersecurity regulation perspective, loyalty programmes that process personal data are subject to UK GDPR data protection requirements. Where loyalty programmes are part of an OES-designated airline group, NIS security requirements may apply. CAA CAP 1753 focuses on aviation operational security rather than loyalty programme IT security specifically. However, a loyalty programme breach that affects passengers of a regulated airline will attract CAA attention and ICO investigation.

Get an airline cybersecurity assessment

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides