Both websites were hacked in March 2020, allowing unknown hackers to steal sensitive data including passwords.
According to a data breach notification released by authorities at the San Francisco International Airport, two airport websites “SFOConnect.com” and “SFOConstruction.com” became targets of hackers recently.
The unknown hackers managed to insert data-stealing code into the sites to compromise credentials used by airport employees to access email and network accounts.
The authorities haven’t disclosed details of the hack but it is mentioned in the notification that the compromised credentials were used to access personal devices such as tablets, laptops, and smartphones. The devices were used to access the airport’s online platforms as well as cloud services.
By March 23, 2020, the issue was resolved and the code was removed. However, considering that most of the employees will use the same credentials to access their devices and use SFO websites, the airport authorities reset the passwords of the compromised accounts to further mitigate the threat of another data leak.
The data breach notification warns users that,
If you visited either website outside of SFO’s managed networks and using Internet Explorer on a Windows-based device, you should change the password you use to log in to that device. You should also consider changing any credentials that use the same username and password combination, said the data breach notification.
An internal investigation into this incident revealed that some of the data stolen from the websites may have reached the Dark Web. As per Lucy Security, an IT defense testing service, around 8,000 credentials shared on the Dark Web in late February, 2020, were associated with Flysfo.com. This means, the airport’s IT team took nearly a month to resolve the issue.
One of the two compromised websites is still offline while a majority of the airport staff is working from home using corporate VPN tools to access the SFO services, and only emergency workers are operating on the ground.
Considering this, the attack doesn’t appear to be a random attempt to steal data but rather a targeted attack. The affected users have been informed about the data breach and asked to reset their credentials as well. It is worth noting that the credentials were used by the airport employees only and not the travelers.