Cyber Incident Victim: Aviation ID Australia
Date:
Jul 2018
Location:
Australia
Summary
A company responsible for issuing Aviation Security Identity Cards experienced unauthorized access to its systems, potentially compromising applicants' personal data including names, addresses, birth certificates, driver's licenses, Medicare details, and ASIC numbers. The breach raised national security concerns due to the sensitive nature of airport access credentials and the potential for malicious exploitation of stolen information. Authorities launched an investigation into the incident while affected individuals were notified about risks to their identity documents. This event occurred amid existing scrutiny of aviation security protocols following prior incidents involving credential issuance to individuals with criminal histories.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around July 11, 2018, Aviation ID Australia—a New South Wales-based company responsible for issuing Aviation Security Identity Cards (ASICs) to personnel at regional and rural airports—disclosed a cybersecurity breach involving unauthorized access to a localized portion of its website. The breach potentially compromised the personal information of hundreds of individuals who were applying for or renewing ASICs, which grant access to restricted airport zones. Aviation ID Australia notified affected applicants via email on July 11, stating it could not confirm the exact scope of accessed data but warned that exposed information might include names, street addresses, birth certificate numbers, driver’s license numbers, Medicare card numbers, and ASIC numbers. The breach raised immediate concerns about potential compromises to Australian airport security, given ASICs’ role in preventing unauthorized access by criminals or terrorists to aircraft and sensitive areas. The Australian Federal Police (AFP) confirmed an ongoing investigation into the incident but declined to provide further details during the active inquiry. The Civil Aviation Safety Authority (CASA) was also notified of the breach.
The incident drew criticism from affected individuals, including former 747 pilot Nevan Pavlinovich, who expressed frustration over the lack of clarity regarding the breach’s consequences and the risk of identity theft. Pavlinovich emphasized that the stolen data could enable malicious actors to forge IDs or exploit personal information to gain airport access, noting the particular sensitivity of pilot credentials. The breach occurred against a backdrop of existing vulnerabilities in Australia’s aviation security system, including a 2017 federal report revealing that 20% of airport staff with aircraft access had criminal convictions—some for offenses like drug trafficking—and past cases of ASICs being issued to individuals with ties to radical groups. While Aviation ID Australia’s breach notification complied with new federal data breach disclosure laws enacted earlier in 2018, the incident underscored persistent security challenges in critical national infrastructure. The AFP’s investigation remained ongoing at the time of reporting, with no public resolution disclosed in the available source material.