找回密码
 立即注册
首页 区块链新闻 查看内容
  • QQ空间

印度航空和机场行业旗下的IT服务提供商SITA表示,该公司遭遇了针对乘客信息的网络攻击

2021-3-6 19:50

 

昨日,印度航空和机场行业旗下的IT服务提供商SITA表示,该公司遭遇了针对乘客信息的网络攻击。SITA乘客服务系统(PSS)负责处理几家航空公司的数据,多家航空公司已经通过电子邮件告知一部分乘客他们受到了影响。这一问题突显出,有必要减少企业持有的集中式个人数据数量,从而为网络攻击者制造一个蜜罐。相反,使用诸如自我主权身份等数字身份解决方案的个人应该保留更多的数据。


新加坡航空(Singapore airlines)、马来西亚航空(Malaysia airlines)和芬兰航空(Finnair)等航空公司已证实受到黑客攻击影响。


“这是一次高度复杂的袭击,”SITA在一份声明中说。“SITA迅速行动,启动了有针对性的遏制措施。”


事实证明,新加坡航空公司甚至不是SITA PSS的客户。它与其他使用SITA PSS的星空联盟成员共享了一些乘客数据。


新航在一份声明中表示:“全星联盟成员航空公司向联盟提供一组受限的常客计划数据,这些数据随后被发送给其他成员航空公司,保存在各自的客运服务系统中。”“这种数据传输是必要的,以便核实会员层身份,并让会员航空公司的客户在旅行时享受相关利益。”


新航表示,有58万名kosflyer和PPS会员受到影响。新加坡航空事件中暴露的数据包括会员编号、层级状态,在某些情况下还有会员名称。其他加入星空联盟的大型西方航空公司有联合航空、汉莎航空和加拿大航空。这三家航空公司都没有发布任何公告。


雪上加霜的是,新加坡航空是区块链忠诚度解决方案的早期采纳者之一。

自我主权认同会有什么帮助


就像多家航空公司的忠诚计划一样,我们认为这并不需要一个集中的数据存储来共享。事实上,它可能是数字身份的理想用例。以下是我们认为它如何在自我主权认同中起作用。


当乘客加入星空联盟计划时,他们会得到签约航空公司(假设是联合航空)颁发的忠诚计划证书。这是点对点传输,并存储在他们的移动钱包或他们选择的云提供商。只有美联航和乘客知道详情。凭据是用联合航空的私钥进行数字签名的,并且区块链可能存储联合航空的公钥,稍后可以使用该公钥验证签名。


新加坡航空公司(SAI)表示,当乘客想在另一家航空公司使用积分时,SAI会要求乘客出示星空联盟的凭据。乘客直接分享自己的证件,不需要包含会员号码,SAI在不联系美联航的情况下验证证件。他们只需要通过检查区块链来检查联合航空的公钥是否与证书的签名相匹配。他们还可能检查一个区块链是否有被吊销的证书,同样也不包括个人信息。


这样你就有了可验证的凭证,而不需要集中存储数据。


您还可以使用区块链在航空公司之间共享交易。同样不使用个人身份信息。


一个更棘手的挑战是,各个航空公司需要存储自己的乘客信息,以达到合规和计费的目的。

COVID-19健康护照


与此同时,新发布的COVID-19检测数字身份解决方案和疫苗接种证书几乎每天都有。测试或医疗保健提供商以类似的方式对测试或疫苗证书进行数字签名。


一些知名的解决方案提供商包括GE Digital的TrustOne应用程序、IATA的旅行通行证平台、IBM的数字健康通行证和国际商会的AOKpass。但可能还有几百个。ID2020已经建立了良好健康通行证协作机制,以帮助解决方案实现互操作。

 

Yesterday SITA, the IT service provider owned by the airline and airport industry, said it experienced a cyberattack on passenger information. SITA Passenger Service System (PSS) looks after data for several airlines and multiple air carriers have emailed a subset of their passengers telling them they’re affected. The issue highlights the need to reduce the amount of centralized personal data held by corporations, creating a honeypot for cyberattackers. Instead, more data should be retained by individuals using digital identity solutions such as self-sovereign identity.

Examples of airlines that have confirmed the hack has impacted them include Singapore AirlinesMalaysia Airlines, and Finnair.

“This was a highly sophisticated attack,” said SITA in a statement. “SITA acted swiftly and initiated targeted containment measures.”

It turns out that Singapore Airlines is not even a customer of SITA PSS. It shared some passenger data with other Star Alliance members that use SITA PSS.

“All Star Alliance member airlines provide a restricted set of frequent flyer programme data to the alliance, which is then sent on to other member airlines to reside in their respective passenger service systems,” said Singapore Airlines in a statement. “This data transfer is necessary to enable verification of the membership tier status, and to accord to member airlines’ customers the relevant benefits while travelling.”

Singapore Airlines said that 580,000 KrisFlyer and PPS members were affected. The data exposed in the case of Singapore Airlines was the membership number, tier status and, in some cases, membership name. The other big western airlines that are Star Alliance members are United, Lufthansa, and Air Canada. None of the three airlines have made announcements.

To add insult to injury, Singapore Airlines is one of the early adopters of blockchain for its loyalty solution.

How self sovereign identity might help

With something like a multi-airline loyalty scheme – with our admittedly armchair perspective – we believe this does not require a centralized store of data for sharing. In fact, it’s probably an ideal use case for digital identity. Here’s how we think it could work with self-sovereign identity.

When a passenger joins the Star Alliance program, they are issued a loyalty program credential by the airline that signed them up, hypothetically United. This is transmitted peer-to-peer and gets stored in their mobile wallet or a cloud provider they choose. Only United and the passenger have the details. The credential is digitally signed with United’s private key, and a blockchain might store United’s public key, which can later be used to verify the signature. 

When the passenger wants to use rewards points at another airline, say Singapore Airline (SAI), SAI would ask the passenger for their Star Alliance credentials. The passenger shares their credential directly, which doesn’t need to include the membership number, and SAI verifies the credentiall without contacting United. They simply need to check that United’s public key matches the credential’s signature by checking the blockchain. They also might check a blockchain for revoked credentials, which again would not include personal information.

And there you have verifiable credentials with no centralized store of data. 

You could also use a blockchain to share the transactions between the airlines. Again without using personally identifiable information.

What is a trickier challenge is the need for individual airlines to store their own passenger information for compliance and billing purposes. 

COVID-19 health passports

Meanwhile, rarely a day goes by without a new announcement of a digital identity solution for COVID-19 test and vaccination certificates. These work in a similar way with the test or healthcare provider digitally signing the test or vaccine certificate.

Some high profile solution providers include GE Digital’s TrustOne app, IATA’s Travel Pass platformIBM’s Digital Health Pass and the ICC AOKpass. But there are probably hundreds more. ID2020 has setup the Good Health Pass Collaborative to help the solutions to interoperate.

 

来自: Ledger Insights