Cyprus Airways Data Breach

cyprus-aiwray-leak-post
Data breach at Cyprus Airways exposes PNR and ticket data; claims of real-time access raise aviation cybersecurity and Part-IS compliance concerns.

Overview:

A significant aviation cybersecurity incident has come to light involving Cyprus Airways. On 1 June 2025, a hacker forum disclosed the sale of a 45GB customer database allegedly stolen from the airline. According to the threat actor, the breach includes sensitive customer information, Electronic Ticket (ET) data, and Passenger Name Records (PNR), with claims of real-time access to these details.

The hacker alleged continuous access through Tuesday, 3 June, even two days after the initial publication of the attack.

This breach presents immediate concerns for aviation organisations, especially those subject to EASA Part-IS requirements, due to the potential impact on operational safety, data integrity, and trust.

What Happened:

The cyberattack reportedly led to the unauthorised extraction of customer records from Cyprus Airways systems. This includes names, flight details, ticket data, and PNR entries — all of which are core elements of aviation service continuity and customer privacy. Notably, the attacker has claimed ongoing access to live PNR and ET feeds, suggesting a persistent threat or exposed integration such as an insecure API.

With the data now for sale on a dark web marketplace, there is an increased risk of it being exploited for identity theft, fraudulent travel bookings, phishing campaigns, or even social engineering attacks targeting aviation staff or infrastructure.

Relevance to Part-IS Compliance:

Under EASA’s Part-IS framework, this incident underscores the importance of robust information security management systems (ISMS), especially concerning detection and containment of data breaches (IS.I.OR.220). The potential real-time compromise of operational data elevates this from a privacy issue to one with possible safety implications, warranting reassessment of risks under IS.I.OR.205 and IS.I.OR.210.

For organisations operating in regulated aviation domains, this event may also trigger reporting obligations. If any interface with Cyprus Airways systems exists, or if similar vulnerabilities are identified, organisations should consider external reporting as required by IS.I.OR.230.

Recommended Actions:

  • Reassess exposure to third-party or partner system integrations, particularly APIs exchanging PNR or ET data.
  • Perform an immediate review of your information security risk register in light of this scenario.
  • If your organisation may have been impacted, prepare internal and external reporting in line with IS.I.OR.215 and IS.I.OR.230.
  • Review technical safeguards for customer data processing and storage, particularly access controls and encryption.

Why This Matters:

This breach is not merely a matter of commercial risk — it highlights how information security failures can undermine aviation safety. When attackers gain access to live operational or customer movement data, the line between cybersecurity and aviation safety blurs.

Under EASA Part-IS, aviation organisations must not only protect information assets but also understand how cyber threats intersect with system dependencies and human performance. The Cyprus Airways incident is a timely case for sector-wide vigilance.

Share this Notice:

Related Posts

About Part-IS.eu

Part-IS.eu is a website operated by RainingBits LTD. This is not an official EU Commission or Government resource. The europa.eu webpage concerning Part-IS can be found here. Nothing found in this portal constitutes legal advice.

Part-IS
© Copyright 2025 NERD.aero by RainingBits LTD

Download our Free Gap Analysis Checklist

  • Easy to track Regulation references
  • Start your implementation journey
  • See where you are wil Part-IS compliance
  • Still have questions? We are always here for you!
Receive it in your inbox!