United Airlines recently alerted employees that security codes providing access to plane cockpits had been leaked online, the Wall Street Journal reported. Citing a pilot briefed on the matter, the report noted that the codes were accidentally posted to a public website by a United flight attendant.

The problem has been addressed, the report said. But, the incident raises questions and concerns about the chain of custody for sensitive data in an organization.

Sometimes, when a flight attendant needs to access the cockpit, they must enter a code on a keypad outside of the door to gain entry. However, the final access is granted by the pilot, who can see who input the code, and must grant additional permission from inside the cockpit.

SEE: Information security incident reporting policy (Tech Pro Research)

Even if someone enters the correct information, the pilot can deny them entry. As such, United pilots have been instructed to continue following the standard protocol of visually confirming an entrant’s identity before allowing them access, until new codes can be sent out from United, the report said.

Although a United memo, mentioned in the report, said that “flight deck procedures may have been compromised,” it also said there was a pending “corrective action.” However, no flights seem to have been affected by the incident.

While the United Airlines incident wasn’t the result of a hacking attempt, it highlights that people continue to be one of the weakest links in an organization’s cybersecurity. In fact, more than half of US employees can’t identify a phishing email and don’t know what ransomware is.

This incident highlights the need for organizations to invest in training and occasional retraining of employees on cybersecurity and data privacy best practices. As part of its response, the report said, United did remind staff of the procedures in place, and asked them to remind in-flight crews about the procedures as well.

The 3 big takeaways for TechRepublic readers

  1. Security codes for United Airlines’ cockpits were recently leaked online by a flight attendant.
  2. Pilots have the final say in allowing someone into the cockpit, as they have the option to visually identify an entrant before letting them in.
  3. Corrective action is being taken, but the episode highlights the importance of data privacy and security training, as well as controlling the chain of custody for company data.