Confidential Data of Pegasus Airlines Was Exposed to the Public

Turkish low-cost airline Pegasus Airlines accidentally leaked sensitive data: personal information of crew members along with the source code of its software and flight data after the company’s IT specialists incorrectly configured the AWS bucket.

Pegasus Airlines’ cloud data storage remained open on February 28, according to research group SafetyDetectives.

About 23 million files or 6.5 TB of data were found in the bucket, including more than three million files containing confidential flight data, such as: flight procedures and revisions; insurance documents; Detailed information about problems found during pre-flight inspections; information about crew changes.

More than 1.6 million files contained personal information about the aircraft’s crew, including photographs and signatures.

EFBs are information management tools designed to optimize the productivity of an airline crew by providing the necessary reference materials during the flight. SafetyDetectives suggested that attackers could gain access to very sensitive information as a result of the leak.

According to researchers, cybercriminals can spoof sensitive flight data and secret files using passwords and secret keys found in the PegasusEFB bucket. This impact could affect the safety of every passenger and crew member of Pegasus around the world. Subsidiary airlines using PegasusEFB may also be affected.

However, there are no signs that the leaked data is being used by attackers.
Notifying Pegasus Airlines on March 1, SafetyDetectives noted that the leak was fixed after about three weeks.

Reference: Founded in 1990, Pegasus Airlines is a Turkish carrier that specializes in low-cost domestic and international flights. The Turkish private equity firm Esas Holding AS owns a majority stake in the company. Pegasus is headquartered in Istanbul and generated US$620 million in revenue in 2021.