Cyber Incident Victim: Isavia

On the morning of May 17, 2023, Isavia, the company responsible for operating Icelandic airports, was subjected to a cyber attack. The target of this attack was the company's official website, which publishes flight information for all scheduled flight destinations in Iceland. The specific type of attack was identified as a Distributed Denial-of-Service (DDoS) attack. This form of cyber assault functions by generating an overwhelming amount of artificial traffic directed at a website's server. The attack on Isavia was executed using thousands of virtual users, a method designed to flood the site's capacity and render it incapable of responding to legitimate requests from real users. As a direct consequence of this malicious traffic surge, the Isavia website became unavailable and was taken offline.

The website remained in a state of outage for approximately two hours as a result of the sustained DDoS attack. During this period, the primary public-facing source for real-time flight information was inaccessible to passengers, the public, and other stakeholders who rely on such data for travel planning and airport operations. The unavailability of this critical information portal represented a significant disruption to the normal flow of information essential for airport functionality. The immediate impact was the inability for users to access the website to check flight statuses, arrivals, and departures, potentially causing confusion and inconvenience.

Concurrent with the execution of the cyber attack and the resulting takedown of the main website, Isavia initiated its incident response protocol. The company's technical team actively worked to defend against the ongoing attack and to restore service. Their efforts were focused on mitigating the flood of malicious traffic and implementing defensive measures to protect the website's infrastructure. The technicians successfully managed to repel the attack and bring the website back online after the two-hour period. However, the company noted that even after the main attack was mitigated and the site was restored, some users might experience longer than normal wait times or delays in accessing the website as systems fully stabilized and propagated recovery measures across networks.

Recognizing the critical need to provide continuous access to flight information despite the attack on their primary web property, Isavia implemented a contingency plan almost immediately after the attack began. A standby emergency website containing access to flight information for Keflavík International Airport was activated and opened to the public. This alternative site served as a failover to ensure that vital travel data remained available. To direct users to this new source of information, Isavia utilized its social media channels, publishing announcements and links that pointed passengers and the public toward the emergency page. This action was taken to proactively communicate the issue and provide an immediate workaround, thereby reducing the impact on travelers.

In addition to activating its own emergency website, Isavia also directed users to other existing external sources where flight information could be obtained. The company's social media announcements, made across its social media platforms, also pointed people towards the website of Textavarp, a local text-based information service, as well as to the official websites of the individual airlines. Furthermore, social media channels associated with domestic airports within Iceland were also utilized to share these alternative links and guidance, creating a broader network of information distribution to ensure the public could find the necessary flight details through multiple redundant channels.

Following the restoration of its main website and the stabilization of the situation, Isavia issued an official statement to inform the public about the incident. In this communication, the company formally confirmed that a DDoS attack had occurred, providing a brief technical explanation of how such an attack functions with thousands of virtual users aiming to make a site inoperable. The statement also detailed the company's response actions, including the successful defense mounted by its technicians and the deployment of the emergency information site. The company openly acknowledged the disruption and the potential problems the incident may have caused. Isavia extended an apology, stating it asked for understanding regarding any issues the website outage may have caused for its passengers and customers. This public messaging served to provide transparency about the nature of the event, the steps taken to resolve it, and to express accountability for the service interruption. The incident was contained within the same business day, with full service restoration and public communication completed promptly.