Airbus is investigating a cyberattack on its commercial aircraft business, where the attackers gained unauthorized access to employee contact information.

“Investigations are ongoing to understand if any specific data was targeted; however, we do know some personal data was accessed. This is mostly professional contact and IT identification details of some Airbus employees in Europe,” Airbus said in a statement, issued Jan. 30.

Airbus added there is “no impact” on its commercial operations.

“This incident is being thoroughly investigated by Airbus experts, who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins,” Airbus said.

Regulatory and data-protection authorities have been alerted and staff are taking “necessary precautions” following the attack.

Data security has increasingly come under the spotlight following several high-profile attacks and the introduction of Europe’s new General Data Protection Regulation (GDPR) rules, which carry a stiff 4% of global revenue penalty for data leaks.

Commenting on the Airbus incident, Dan Turner—who is CEO of UK-based data-security firm Deep Secure—said: “The Airbus breach is likely to become just another fleeting reference in the constant stream of data breaches we’ll witness this year. Incidents like this show that, no matter how robust the company’s security defenses, traditional cybersecurity solutions are unable to detect the growing number of zero-day and undetectable threats that cybercriminals are creating.

“We must assume that hackers are better at attacking than we are at defending—and that’s why we must go beyond the detect and protect approach to cybersecurity and focus on preventing attacks.”

PGI managing director cyber Brian Lord is a specialist in the field, having spent 21 years with UK intelligence and security service GCHQ. “Data breaches regarding personal data remain the most common data set to be stolen from all organizations,” Lord told ATW.

Lord said the Airbus investigation is likely to look at likely attacker types and their motivations.

“Whomever the perpetrator, individuals’ personal data has been compromised, something that GDPR was brought in to try to prevent and govern. Protection of personal information is the very purpose behind GDPR. An easily avoidable breach would affect Airbus’ reputation—as a cyber-aware prime defense company—more than many other companies in different sectors. I would expect their incident response process to be considering the management of this aspect carefully,” Lord said.   

Victoria Moores