Cyber security is being tightened at Australian airports after an identity card data hack

Brook Mitchell/Getty Images
  • The website of an Australian company which conducts security checks and issues Aviation Security Identity Cards has been hacked.
  • The data breach is being investigated by the Australian Federal Police.
  • However, the Department of Home Affairs says the cards are protected by a proprietary security feature.

A data hack at a company which issues aviation industry security identity cards is being investigated by the Australian Federal Police as federal authorities tighten cyber security at airports.

The breach, which potentially exposed personal details of those applying for a security check, occurred at the website of Aviation ID Australia, a company providing Aviation Security Identity Cards (ASIC) to regional airports in Australia.

Authorities and the company are saying little. We only know the hack occurred because the company, as required under new reporting regulations, informed users in an email.

The Notifiable Data Breaches amendment introduced in February this year only requires the affected parties be notified of the loss of personal data likely to result in serious harm. There is no requirement to make public the extent of the breach or even announce that a hack has occurred.

From the emails sent to those affected, we know that the information at risk, what “may have been breached”, according to the company, includes the type of information very useful to those wanting to steel identities: name, street address, birth certificate number, drivers licence number, Medicare card number and ASIC number.

The company told its customers that “a localised portion of our website has been intentionally accessed by an unauthorised entity”.

The Australian Federal Police has confirmed it is investigating a potential breach of the Aviation ID Australia website.

“While the investigation remains ongoing, it is not appropriate to provide further details,” says a police spokesperson.

Asked about the extent of the hack and the airports affected, the Civil Aviation Safety Authority said: “As the Federal Police have an ongoing investigation we have been asked not to release any details.”

The Department of Home Affairs, which runs airport security, says it is aware of the cyber incident involving Aviation ID Australia and is working closely with all aviation and maritime security identification card (ASIC and MSIC) issuing bodies to increase cyber security.

“Australia has a comprehensive and robust transport security system, designed to respond to the threat environment and target the areas of highest risk,” the department says.

“The Aviation ID Australia cyber incident would not enable someone to fraudulently produce another ASIC or MSIC. The cards are protected by a proprietary security feature and are produced under secure conditions.”

The department says the ASIC is not an access card and only indicates that the holder has had a background security check.

But the card is an essential for airport workers. Without it they cannot get into secure areas. The website of the Civil Aviation Safety Authority says: “You need a valid ASIC if you require frequent access to a secure area of a security controlled airport.”

The Department of Home Affairs says airport and seaport owners and operators are responsible for access control to secure areas.

“It is not appropriate to provide further details while the investigation remains ongoing,” the department said.

Brisbane Airport, which does not use the hacked provider, told Business Insider: “The Australian Government has written to all ASIC Issuing Bodies directing them to take certain actions (where needed) to provide higher levels of assurance around the protection of personal data including, but not limited to, external cyber security audits on a re-current basis.”

There are more than 30 providers of Aviation Security Identity Cards. The larger airports, such as Sydney, have their now issuing body, doing security background checks and confirming identities in-house.

The cards must be worn when accessing secured areas at airports. Pilots typically wear one of them plus an airport security access card.

Industry sources say ASIC cards are extremely important.

“If I misplace mine even for a day it’s really tricky to get temporary access,” a senior commercial airline pilot told Business Insider.

“They are taken very seriously and certainly it is the only way for workers to be allowed airside to do our jobs.”

One provider, Security ID, says its data has not been compromised.

“Our systems are robust, complying with recommendations of the Australian Cyber Security Centre and are subject to audit,” it says.

Aviation ID Australia, the company which was hacked, is based at Merimbula, NSW, and mainly services rural and regional airports.

It’s not known which airports are its customers but none of the major city airports are affected.