Charter provider and aircraft management firm Solairus Aviation in late March disclosed that some employee and client information had been accessed in a security breach of the Microsoft Azure cloud hosting platform of flight management systems provider Avianis, certain assets of which were acquired in 2019 by Wheels Up. Solarius is the second business aviation company to report a breach of its data through Avianis, with Jet Aviation experiencing a similar compromise of employee and customer information during the same period as Solairus.
Both companies reported they were notified by Avianis of the breach in December. Avianis hosted Solairus’s flight scheduling and tracking system. "This incident impacted a subset of customers that use this storage system connected with the Avianis platform, but all other Wheels Up and Avianis systems and databases were not affected," Wheels Up said in a statement.
Information potentially accessed in the Solairus breach included employee and client names, Social Security numbers (SSN), passport numbers, driver’s license numbers, dates of birth, and/or financial account numbers.
Ben Rothke, a former private pilot and information security and cloud security expert, told AIN that the breach appears to be a targeted attack and that charter companies are likely more susceptible to these events because of the high-net-worth clientele they serve. “There is a lot of juicy data there,” he said, “a lot of crown jewel information.”
Rothke explained that firms such as Avianis will use a cloud platform provider like Microsoft or Google to host their cloud-based applications. As a general rule, it’s incumbent for charter providers to do their due diligence to make sure an applications vendor is using a well-qualified third-party provider of cloud-based services and not just go with the least expensive option. “You can always find someone cheaper but there’s a risk of doing that,” Rothke said. The assessment should include determining what kind of security architecture the application provider has, what certifications does it hold, and where its principal place of business is because information security regulations can vary between states and countries. “It’s very easy to create a very flashy-looking web page,” he said. “You really have to sort of kick the tires.”
Solairus said it is offering a complimentary membership to Equifax ID Patrol credit monitoring for individuals whose SSN and driver’s license numbers were involved in the breach. However, the company said it doesn’t have current addresses for all of those individuals and is encouraging them to call (855) 515-1652.
Based in Petaluma, California, Solairus employs 1,500 flight crew and support staff operating from more than 65 bases. Aircraft under management totals 220, including light, midsize, and large-cabin jets, and turboprops.