Cyber Incident Victim: Allied Pilots Association
Date:
Oct 2023
Location:
United States of America
Summary
The Allied Pilots Association experienced a ransomware attack that encrypted systems, prompting immediate network security measures and restoration efforts using backups. The union engaged cybersecurity experts to investigate potential data exposure while prioritizing the recovery of pilot-facing services. Restoration progressed gradually, with core functions partially reinstated and plans to revive additional systems, alongside an ongoing assessment of impacts on member information. Operational disruptions occurred during recovery, reflecting broader cybersecurity challenges within the aviation sector.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 30, 2023, the Allied Pilots Association (APA) – representing over 15,000 American Airlines pilots – discovered a cybersecurity incident in its early morning hours, prompting immediate network security measures. The organization engaged an unnamed cybersecurity firm to investigate, which confirmed the incident involved ransomware that encrypted certain systems. This encryption necessitated a methodical restoration process from backups conducted by APA’s IT team alongside external experts. The recovery effort prioritized pilot-facing products and tools, with initial progress allowing partial service restoration throughout the week following the attack. Core services were gradually brought back online, though full operational recovery remained ongoing. Concurrently, APA initiated an assessment of potential data impacts, including member information, acknowledging the inherent time requirements for thorough investigation. The union communicated updates via its website and social media, informing members of service restoration milestones while cautioning that complete system recovery would extend over subsequent hours and days.
Restoration efforts advanced to include the majority of APA’s Web 2.0 product as an initial phase, with plans to deploy a Service Restoration dashboard on the union’s website for status tracking. The investigation, guided by third-party cybersecurity experts, reaffirmed ransomware as the attack vector and system encryption as the primary disruption. APA emphasized security considerations throughout the recovery process, balancing operational urgency with system integrity safeguards. Interim departmental contact information was published to maintain member support channels for benefits, aeromedical, scheduling, communications, and accounting services during the outage. The union committed to providing further incident details via text and email as the investigation progressed, explicitly acknowledging the possibility of data compromise while refraining from definitive conclusions pending forensic completion. This incident occurred amid a broader pattern of ransomware attacks targeting aviation entities, including airports, manufacturers, and airlines globally during the same period.