The list of companies and industries targeted by cybercriminals has grown steadily since March, and the newest addition is none other than the San Francisco International Airport (SFO).
In a data breach notice sent to all airport commissions on April 7, airport officials announced that SFOConnect.com and SFOConstruction.com suffered a security incident in which bad actors injected a malicious code to steal users’ login credentials.
“Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO,” said SFO’s Airport Information Technology and Telecommunications (ITT) director.
The first compromised website, SFOConstruction.com, addresses the airport’s construction project and provides a centralized way for third parties and contractors to bid on new or upcoming construction plans. SFOConnect.com, on the other hand, serves as an employee gateway providing recent airport security news and information on ground transportation units.
Following the investigation, SFO officials do not exclude the possibility of unauthorized access to the platform using employee credentials. As an immediate countermeasure after removing the malicious code, the two platforms were taken offline, and Airport ITT “reset all SFO related email and network passwords.”
The two websites are still accessible outside SFO’s network, but a full website maintenance memo is listed on SFOConstruction.com, with no ETA provided.
All users who have accessed the two platforms within SFO managed networks or their homes using IE browsers (Internet explorer) or a Windows-based devices are recommended to act quickly and change the password used to access those devices.
“At this time, it appears the attackers may have accessed the impacted users’ usernames and passwords used to log on to those personal devices.” As an additional preventive measure, employees should also change any login credentials for other online platforms that use the same password or screenname combination.