Cyber Attack on Famous Airline: Is Passenger Information Safe?
Cyber Attack on Famous Airline: Is Passenger Information Safe?
An airline company that continues its activities with the concept of cheap tickets in our country has been cyber-attacked!
SunExpress, which is frequently preferred in our country with its cheap ticket concept, recently announced that it was recently cyber-attacked. The airline company disclosed critical details about the attack with its notification to KVKK. So, is passenger information safe? What exactly did the hackers capture?
SunExpress Announced That It Was Hacked: Here are All Details
Editor’s Note Due to an error in the first version of the content, Pegasus’ name was used instead of SunExpress. However, the company that filed the KVKK notification is Sun Ekspres Havacılık A.Ş. (SunExpress). We apologize for the confusion caused to our readers due to this error.
When we look at SunExpress’ GDPR notification, it was stated that a hacker had obtained the login details of an administrator account. Furthermore, with this information, unauthorized access was gained to the company’s campaign management platform and thousands of phishing emails were sent from this account.
The cyber attacker sent a total of 1,986,293 e-mails to 596,659 unique e-mail addresses. As a result of the investigations, it was determined that 86 of these e-mail addresses belonged to current and former employees, while 249,668 belonged to customers. However, the source of the remaining 346,905 e-mail addresses is currently unknown.
In the data breach notification submitted to the Board by Sun Ekspres Havacılık A.Ş. (SunExpress), the data controller, in summary
A cyber attacker gained unauthorized access to the campaign management platform used by the data controller by obtaining the login credentials of an administrator account and sent phishing emails through this account,
- The breach occurred on 15.07.2024 and was detected on the same day,
- The cyber attacker sent a total of 1,986,293 emails to 596,659 unique email addresses,
- The relevant groups of people affected by the breach are employees, customers and potential customers,
- The category of personal data affected by the breach is contact (e-mail) information,
- Of the 596,659 e-mail addresses to which the cyber attacker sent e-mails;
- 86 belonged to employees (current and former employees) and 249,668 to customers,
- 346,905 e-mail addresses were of unknown origin and were uploaded by the cyber attacker during the attack,
- Data subjects can get information about the data breach through the form on the data controller’s website (https://www.sunexpress.com/tr-tr/verilerin-korunmasi/)
information was included.
Although the investigation on the subject continues, with the decision of the Personal Data Protection Board dated 18.07.2024 and numbered 2024/1230, it was decided to announce the data breach notification on the website of the Authority.