Monday, 29 September 2025

EU-US Flight Passenger Data: What would a hacker do?

InfoSecurity
Posted On

Tal Be’ery, Imperva’s Web Research Team Leader, reviews security considerations and how hackers might target the data held by the US government on millions of passengers who fly between the US and Europe as reported in the Guardian yesterday. 

The personal data of millions of passengers who fly between the US and Europe, including credit card details, phone numbers and home addresses, may be stored by the US department of homeland security for 15 years, according to a draft agreement between Washington and Brussels leaked to the Guardian.  http://www.guardian.co.uk/world/2011/may/25/us-to-store-passenger-data

Tal Be’ery raises three key issues:

 Who would find this data most attractive?

This is a prime target for Advanced Persistent Threats (APT). As instead of stealing data, APT hackers could try to:

  • Insert data. For example, make an "Osama Bin Laden" entry and give it "no need to check at all" clearance.
  • Get data out. For example:
  • Find out all the information about a person which is, by definition, enough information to allow him into the US. Create fake passports using this information.
  • Find out about all people travelling to the US.

Of course – it doesn't have to be a digital attack. An attacker may convince some employee, even low ranking one, to give him some (or all data). Think Bradley Manning.

To be clear, I'm not saying that this Data Base shouldn't exist because of these reasons – it should be closely defended and guarded as a prime target of APT.

 How they should protect the data?

Like Fort Knox only with database firewalls, auditing, excessive rights management control. And it really calls for the implementations of novel approaches such as Prof. Adi Shamir’s (the 'A' in RSA) idea of a set-base blurred database that will allow the verification of given details but will not allow arbitrary information retrieval.

 Who should protect the data?

This is an interesting case where one country is holding data on another countries citizens, I don't think there's any regulation yet on this issuet. This calls for global regulatory action and standards. For example - Who will audit the Data Base to ensure it's carefully protected?



Be a Beacon of Hope in the World

 



Scorpion News Corp

Nigeria Watch International

To expose official corruption in Nigeria, re-orientate the psyche of Nigerians and usher in the Nigerian renaissance

SIA Logo

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

 

About Vigilance

Vigilance is the brain child of a group of veteran journalists and international scholars who have worked in the mainstream media and distinguished themselves nationally and internationally before veering into security practice.

Who's Online

We have 209 guests and no members online

Search