Kenya Airways (KQ) encountered a cyber assault in which an unauthorized entity attempted to breach the airline’s systems. The event transpired late last year, resulting in unauthorized access to police investigation reports, phone numbers, email addresses, and passports of an unspecified number of individuals, particularly past passengers and staff members. The attackers sought a ransom for the compromised information.
The data breach reportedly originated from a sophisticated cybercriminal attack by the Ransomexx group, known for targeting organizations globally. Despite the ransom denial, Kenya Airways recently disclosed the incident to the Office of Data Protection Commissioner (ODPC) in adherence to transparency policies and Data Protection Act protocols.
According to undisclosed sources, the hackers managed to obtain limited information, including identity documents, telephone numbers, investigation reports, and email addresses. The exposed data encompasses a significant volume of internal Kenya Airways information, such as insurance policies, confidential agreements, passwords, and customer complaints. Notably, files related to accidents, labeled ‘Accident docs,’ ‘Accident investigations,’ ‘Accidents,’ ‘Air Accident Investigations,’ and ‘Investigation Reports,’ were also compromised.
Individuals whose limited information was accessed have been contacted and engaged. Following the incident, the airline’s technology security professionals implemented precautionary measures to avert future cyber attacks.
Cyberattacks are prevalent across various sectors, affecting companies in Kenya and globally. Despite the increasing cybersecurity concerns, Kenya has enacted data protection legislation. The Data Protection Act of November 8, 2019, serves to protect individuals’ privacy and prevent unauthorized access, circulation, and disclosure of personal data through any medium.
