Kyanite Blue
Sector Guides

Ground Handling Cybersecurity: Third-Party Risk, Baggage Systems, and Aviation Supply Chain Security

Ground handling companies occupy a unique and under-scrutinised position in aviation cybersecurity. They operate at the intersection of airline systems (accessing airline departure control data for check-in and baggage), airport infrastructure (connecting to baggage handling and airfield systems), and their own IT environments (staff management, operations coordination, billing). They process passenger data. They connect to safety-critical OT systems. And yet, compared to airlines and airports, ground handlers receive significantly less regulatory cybersecurity attention — despite being one of the most common initial access vectors for aviation cyber incidents. EASA Part-IS supply chain requirements and CAA CAP 1753 third-party risk obligations are beginning to change this picture, but ground handling cybersecurity remains an underinvested gap in the aviation security landscape.

Ground handlers connect to both airline systems and airport OT — making them one of the highest-risk third-party relationships in aviation cybersecurity, yet one of the least regulated.

Ground Handler System Access: The Security Risk

Understanding ground handler cybersecurity risk requires mapping their system access:

  • Airline Departure Control System (DCS) access: Ground handlers use airline-provided DCS access for check-in, boarding, and baggage processing — a direct connection to airline systems and passenger data
  • Baggage handling system integration: Ground handlers operate baggage sortation systems and connect to airport BHS infrastructure — OT systems with safety and operational implications
  • Load control systems: Weight and balance and load planning systems used by ground handlers have direct safety implications — inaccurate load sheets can affect aircraft performance
  • Ramp management systems: Digital systems managing aircraft stands, ground support equipment, and airside vehicle movements
  • Third-party airline systems: Large ground handlers may have access to multiple airline systems — a single compromised ground handler account could affect multiple airlines

Ground Handler Data Protection Obligations

Ground handlers process significant quantities of passenger personal data under arrangements with airlines:

  • Passenger personal data: Name, booking reference, seat allocation, and baggage information processed through airline DCS access
  • Special assistance data: Passengers requiring wheelchair assistance, unaccompanied minor processing, or other special services — potentially including health-related information
  • CCTV footage: Ground handling operations on stands and in baggage halls are covered by airport CCTV — ground handlers may have access to footage systems
  • Staff biometric data: Some ground handler operations use biometric time and attendance systems — biometric data has special category status under UK GDPR
  • Data Processing Agreement requirements: Airlines providing DCS access to ground handlers must have compliant DPAs in place under UK GDPR Article 28 — and should verify that ground handlers have adequate security controls

Supply Chain Risk: Airlines and Airports Managing Ground Handler Security

From an airline and airport perspective, ground handlers are high-risk third-party relationships requiring active security management:

  • Access provisioning and de-provisioning: Ground handler staff turnover is high — airlines must ensure DCS access credentials are revoked promptly when ground handler staff leave
  • Security assessment requirements: EASA Part-IS and CAA CAP 1753 third-party risk requirements should include formal security assessments of ground handler partners
  • Contractual security obligations: Ground handling agreements should specify minimum cybersecurity standards, incident notification requirements, and the right to audit
  • Monitoring of DCS access: Anomalous access patterns to airline systems by ground handler credentials should be monitored — excessive data access, unusual hours, or access from unexpected locations
  • Security requirements in handler selection: Aviation operators should include cybersecurity capability as a factor in ground handler selection and renewal decisions

Ground Handler Security Programme: Priority Controls

Ground handling companies building a cybersecurity programme should prioritise:

  • MFA on all airline system access: Multi-factor authentication on DCS and other airline system credentials is a minimum requirement that airlines increasingly mandate
  • Endpoint security: Ground handler office systems and operational terminals should have endpoint protection — phishing attacks targeting ground handler credentials are a documented threat vector
  • Access control discipline: Individual user accounts for each staff member accessing airline systems — no shared credentials — with prompt revocation on departure
  • Staff awareness training: Ground handling staff are targeted by social engineering specifically because of their airline system access — targeted phishing awareness training is essential
  • Incident reporting capability: Ground handlers should have clear procedures for reporting potential security incidents to the airlines whose systems they access
  • Network isolation: Ground handler IT networks should be segregated from airline and airport operational systems where possible — limiting blast radius from a ground handler IT compromise

Frequently Asked Questions

Are ground handling companies subject to aviation cybersecurity regulations directly?

Ground handling companies are not typically subject to direct CAA cybersecurity oversight in the same way as airlines, airports, and ANSPs — they are not themselves regulated aviation entities under CAP 1753 unless they hold specific aviation approvals. However, they are subject to GDPR for passenger data processing, and they fall within the supply chain risk management obligations of the airlines and airports they serve — who are required by EASA Part-IS and CAA CAP 1753 to assess third-party security. This creates indirect regulatory pressure on ground handlers via their airline and airport customers.

What happens if a ground handler is compromised and an airline's DCS access is misused?

A ground handler compromise affecting airline DCS access could expose passenger personal data processed through the system, creating a potential GDPR breach for the airline (as data controller). The airline would typically need to assess whether a reportable breach has occurred and notify the ICO within 72 hours if so. The airline would also need to revoke the compromised credentials, investigate the scope of unauthorised access, and notify affected passengers if their data is at high risk. The ground handler would face commercial and potentially legal consequences under their service agreement.

How should airlines conduct security assessments of ground handling partners?

Practical ground handler security assessments for airlines should include: a security questionnaire covering key controls (MFA, endpoint protection, patch management, incident response, staff training); review of any existing security certifications (Cyber Essentials, ISO 27001); contractual review to ensure security obligations and DPA are in place; and for critical or large-scale handlers, potentially a technical assessment or right-to-audit visit. Automated third-party risk management tools like Panorays can provide continuous external assessment of ground handler security posture without requiring handler cooperation.

Assess your ground handler security risk

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Panorays

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides