Access Management , Governance & Risk Management , Identity & Access Management

Australian Airport Identity Card Issuer Breached

Aviation ID Australia Says Website Accessed By Unauthorized Entity
Australian Airport Identity Card Issuer Breached
Source: Australian Department of Infrastructure and Regional Development

An Australian company that issues identity cards for access to airports has been notifying applicants and cardholders that their personal information may have been compromised, the Australian Broadcasting Corporation reports.

See Also: Safeguarding against GenAI Cyberthreats with Zero Trust

Aviation ID Australia is one of many Aviation Security Identity Card providers. The company, formed in 2005, services rural and regional airports. The cards are mandatory for individuals, including pilots and air cargo agents, who require unescorted access to sensitive areas of airports.

Ian Barker, managing director at Aviation ID Australia, tells the ABC that the data exposure occurred after a "localized portion of our website" was accessed by an unauthorized entity.

The company had not determined the full extent of the data exposed, but it likely includes names, street addresses, birth certificate numbers, drivers license numbers, Medicare card numbers and ASIC numbers, Barker tells the ABC.

When Information Security Media Group called Aviation ID Australia on Friday and asked for Barker, however, the person who answered the phone said he wasn't available and hung up.

Australian Federal Police are investigating the breach, the ABC reports. The Civil Aviation Safety Authority did not have an immediate comment.

It wasn't clear if the Aviation ID Australia had notified the Office of the Australian Information Commissioner, which enforces the country's Privacy Act. In February, an amendment to the act went into effect that requires organizations with more than $3 million in annual turnover to report serious breaches within 30 days (see Australia Enacts Mandatory Breach Notification Law).

Aviation Security Identity Cards

About 45 airports and companies are authorized to issue ASICs. The cards are intended to show that a person has completed a valid background check, according to the Department of Home Affairs.

Three types of ASICs from one issuer, Veritas. (Source: Veritas)

The airport cards as well as their marine equivalent "are an important part of securing the aviation, maritime and offshore oil and gas sectors from acts of terrorism and unlawful interference," according to the Department of Infrastructure and Regional Development. The cards must be renewed every two years.

It appears some organizations allow individuals to apply for ASICs online, including Aviation ID Australia. Others offer forms that need to be submitted in person.

'Unloved' Website

Aviation ID Australia's website, however, looks "old and dated and unloved," says Troy Hunt, an Australian security expert. The site returns a response header indicating it runs on Microsoft's Internet Information Services server version 7.5, which launched in October 2009 on Windows 7 and Windows 2008 R2.

Hunt says that in and of itself isn't necessarily an indication that the company's website may have had poor security. But he did notice one login page that wasn't always served over HTTPS, meaning it could potentially allow someone to intercept unencrypted data traffic.

Overall, however, "there's no smoking gun," Hunt says.

Sticky Notes: Not For Passwords

Anyone applying for ASIC used to be able to do the process entirely by post. But changes that took effect last August now require applicants to show identity documents in person at some point in the process.

It was the identity document check that took Tony Morris, a private pilot, to an Aviation ID Australia office near Brisbane's airport in April.

Morris says an attendant left an open terminal that exposed personal information and also a sticky note with a password.

Morris says on Friday that when he went to pick up his red ASIC card, the person helping him left the room for a few minutes. But the person left a terminal unlocked that allowed him to view his details.

Underneath his details, he could also see the names and birthdates of other ASIC applicants. He also saw a curled, yellow sticky note at the base of the monitor that had the word "password" underlined and a word written below.

He snapped a photo. "I thought: My mates are going to love this," Morris says.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.