Dublin Airport staff pay data 'compromised' by criminals
Attackers accessed it via third-party services provider, says management group
It's an awkward Monday for Dublin Airport after pay and benefits details for some 2,000 staff were apparently "compromised" following a recent attack on professional service provider Aon.
Aon appears to be the latest victim of the massive supply chain attack sweeping the world via a since-patched flaw – CVE-2023-34362 – in Progress Software's massively popular MOVEit file transfer suite. Progress first disclosed the flaw on May 31, and issued a patch the the next day. The vendor has since patched another two critical flaws. If you're a MOVEit transfer customer, you need to check for updates ASAP using the vendor's KB article here.
It's not known if any of the Irish-headquartered group's employee pay data has been publicly leaked, although we've asked the DAA Group, which manages Dublin Airport, among others, for more details. DAA confirmed to The Reg this morning that "as a result of a recent cyber-attack on Aon, a third-party professional service provider, data relating to some employees' pay and benefits was compromised."
Despite being publicly blamed by DAA, Aon does not appear to have made a public statement about the attack, and did not immediately respond to The Register's request for comment. It appears to have links to the MOVEit tool on an SFTP site on its domain aimed at clients and employees.
DAA was keen to emphasize that its own systems had not been exposed, and said it had notified the Irish Data Protection Commission and was "offering support, advice and assistance to employees impacted by this criminal cyber-attack."
According to its website, among other services it offers, Aon compiles personalized total rewards statements for clients, breaking down what an employer has dished out to staffers for development, paid time off and other things not seen in their salary bottom line. The aim, it says, is "to communicate the value of your total reward in a personalized way."
Dublin airport has come in for flak for failing to restaff in time for the post-pandemic travel rush – a situation mirrored in many of the world's airports.
The management company itself held a jobs fair earlier this year, with one role advertised being a "drone-catcher," for which there was apparently "a pressing need."
- Hold it – another vulnerability found in MOVEit file transfer software
- Ex-FBI employee jailed for taking classified material home
- Guess what happened to this US agency using outdated software?
- Third MOVEit bug fixed a day after PoC exploit made public
According to the company's website, it has around 3,000 employees and besides its management of Dublin and Cork airports in Ireland also looks after terminals in Saudi Arabia, and has an international airside retail business.
Supply chain attacks have been a growing threat since 2020's Solar Winds incident and the Kaseya crisis that followed, with MOVEit and attacks via holes in comms software maker 3CX's software the most prominent of late.
Worse still, MOVEit isn't even Clop's first merry-go-round in the file transfer software game. At the end of 2020 and in 2021, it exploited zero-day flaws in Accellion's File Transfer Appliance, hitting up oil giant Shell, among others, in a wide-ranging supply chain sweep.
Speaking to The Reg earlier this year, Mandiant said the problem is only going to get worse and the industry needs to get its act together on securing software dependencies.
The UK's National Cyber Security Centre also recently warned companies to think more carefully about contractors and third-party security, noting: "By far the greatest supply chain issue is a third party failing to adequately secure the systems that hold your sensitive data." ®
Biting the hand that feeds IT
