Life's a breach: Reported attack on United Airlines shows everyone has valuable data to protect

No longer focused on stealing credit card numbers alone, hackers are flexing seriously dangerous muscle, security experts say.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

All kinds of data can tempt hackers, the reported hack on United Airlines shows.
All information has potential value to hackers. The latest example: A reported breach of network security at United Airlines that swept up flight manifests. Yes, just lists of people on an airplane.

Bloomberg reported Wednesday that United Airlines detected a breach in May or June that compromised its customers' flight records, among other data. According to the report, the same attackers who stole 21.5 million Social Security numbers and background check information from the federal government and medical records from Anthem Blue Cross last year were also behind the hack on United.

The purported hacking group, believed to be affiliated with China, appears to be triangulating United customers' movements. Combined with background check information stolen from the government and medical records stolen from Anthem, experts say the group is stockpiling information on intelligence officers.

That might not affect you or me today (assuming neither of us is a spy), but it emphasizes how vulnerable the systems we rely on for day-to-day life are. If spies aren't safe, neither is critical infrastructure that runs on computers, said Udi Mokady, chief executive of security company CyberArk.

"In situations where people's lives are put in jeopardy, it becomes an increasingly serious issue," he said.

A United spokesman said the report was based on speculation and that United customers' private information is safe, but he declined to confirm or deny that a breach occurred.

The reported hack shows that all businesses are holding onto valuable information that could attract hackers, Mokady said.

In hacking's early days, attackers were interested in "low-hanging fruit" that could be quickly sold for cash, like credit card numbers, Mokady said. Then the theft and sale of personal identifying information like Social Security numbers gained popularity.

But in the case of United, the purported hackers seemed interested in flight records, which don't likely have a broad resale market. It shows the variety of valuable information that needs to be protected from hackers.

"If what they stole here were the flight plans, it's another example of different attackers can make use of different things," Mokady said.

For example, the hack against Sony last November appeared to be intended to drag the company through the mud, rather than financial gain.

The lesson from that experience: Everyone needs to be on alert for hackers.

Two major changes would help protect data like United's flight records. First, data should be encrypted, or jumbled up using a computer algorithm that only the owners can decode, said Alan Kessler, chief executive of cybersecurity company Vormetric.

Next, Kessler said, companies and government agencies need to rethink who has the ability to read that information. Currently, too many people have easy access to many types of data, he said, meaning there are too many people who can unwittingly let hackers into important databases.

Finally, if someone with access to unprotected data is acting weird (like uploading a bunch of data to the Internet at midnight), organizations should be able to recognize that strange behavior and investigate for signs of hackers taking over the user's computer.

Bottom line: Companies need to change their thinking and assume their data is likely to be compromised, instead of assuming they can protect it.