Data Security in the Air

I was traveling last week, and as I answered some emails mid-flight over North Carolina, I remembered how complicated (and outrageously expensive) it used to be to make a phone call from an aircraft. You remember: Airfone. Now, we take for granted the ability to get connected at 30,000 feet and get annoyed when we can’t stream Netflix for ten minutes without a buffering lag.

Taking a step back, though, the volume of data generated in, by, and for the aviation industry is staggering. Think for a moment just about my example: in-flight entertainment and wifi (referred to as IFEC in the industry). Every passenger who logs into the wifi enters their credit card information and uses internet services is creating a treasure trove of personal data and financial information. So what happens if a cybercriminal sets up an evil twin wireless access point (naming their fake wireless connection “In-Flight WiFi”, for instance), and customers connect?

Nothing good. And if you think that internet users are savvy enough to know not to log onto unsecured wifi, they aren’t. Although the airline itself would not likely be liable in that scenario, the reputational damage from a hack on one of their flights can be bad enough.

The regulatory concerns for the aviation industry are no less troubling. Virtually any aviation entity that operates in or travels to Europe will be subject to the GDPR, which raises substantial compliance considerations. The processing of traveler data involves not only their personal information (name, address, government ID number) but also tracking of their activity (in that the traveler’s movements are recorded as a component of their travel). Processing that kind of sensitive information is what GDPR expressly sets out to regulate, and it does so by imposing the most comprehensive data security regime in history. And, given that the industry operates through a near constant cross-border flow of data (including personal data of European citizens) aviation companies should expect to fall subject to the Regulation, and will be under close scrutiny after May 25.

In short, each step of the process in the aviation industry is rife with sensitive data. And none of the systems in place – from platforms for reservations to baggage handling to handling to in-flight purchases to the software system that manages departures at the gate – are even close to perfect. Without a meaningful effort to implement datasmart practices, companies are simply waiting for a breach, or worse.

There are already plenty of good reasons for companies in the aviation industry to take the proper steps to secure their data, not the least of which are avoiding lawsuits and regulatory enforcement. But there’s another: competition.  The industry is more competitive than ever, when even private charters are the subject of multiple apps. Customers and partners say that they are overwhelmingly likely to take their business elsewhere in the aftermath of a breach. It isn’t 1950, when fliers had to choose between Pan-Am, a cropduster, or Pan-Am. A breach of any kind, from ransomware to a stolen personal device, can wipe out a customer base or end a valuable business relationship.

Put another way, it is worthwhile to treat data security as though it were part of your company’s goodwill. Investing in a sound approach to data security not only protects against litigation and loss, it demonstrates commitment to an issue of substantial importance to partners and customers. For aviation companies, the entire business model depends on trust: trust in the aircraft, trust in the pilots, trust that we will get where we want to go. Making your customers’ data safe is a critical part of maintaining trust, and keeping your competitive edge.

Leave a Reply