The agency, which supports the operation of international civil aviation, said air traffic is safe, but one analyst raised doubts about that.
The International Civil Aviation Organization (ICAO) on Tuesday said that it is “actively investigating reports of a potential information security incident allegedly linked to a threat actor known for targeting international organizations,” and has initially concluded that “approximately 42,000 recruitment application data records from April 2016 to July 2024” were stolen.
In its initial statement, the ICAO said, “We can confirm that this incident is limited to the recruitment database and does not affect any systems related to aviation safety or security operations.”
On Wednesday, ICAO officials elaborated on that statement during an email exchange between CSO Online and ICAO communications officer William Raillant-Clark, who said, “ICAO began its probe as soon as the claims were brought to our attention” on January 5, 2025.
But even if the systems impacting security were not directly affected, the information stolen could be used by attackers to impersonate airline officials with access to sensitive areas, according to Johannes Ullrich, the dean of research at the SANS Institute, which provides cybersecurity certifications and research.
“It’s very risky” because “we don’t know how [the attackers] are going to use the data that they now control. They could apply to jobs with that information,” Ullrich said. “If they have the information from a solid job application and they can impersonate them, it could place them in places of trust. It might be in backend systems that exchange flight data and such, potentially disrupting air travel.”
When asked how ICAO can say that this incident won’t affect aviation safety or security, Raillant-Clark said that the systems affected by this incident are not in any way connected or related to ICAO’s aviation safety or security work.
He said, “we are not in a position to validate claims or other statements made by external parties, and nor are we in a position to speculate on their intent.”
The agency said that the data was “claimed to be released by the threat actor known as Natohub.”
Reports have identified Natohub as the alias a data thief uses on BreachForum, a cyberthief forum and marketplace.
Without getting specific, ICAO said, “we have implemented additional security measures to protect our systems. We are also working to identify and notify affected individuals.”
Extensive data stolen
“The compromised data includes recruitment-related information that applicants entered into our system, such as names, email addresses, dates of birth, and employment history,” the initial ICAO statement said. “The affected data does not include financial information, passwords, passport details, or any documents uploaded by applicants.”
There have been many reports of attacks on job application databases because they tend to have massive amounts of personally identifiable information (PII) and other sensitive information.
Adding to the cybersecurity problem is the fact that many enterprises tend to outsource these sites to third parties who may not have the most robust protections.
One of the weaknesses in job application systems is the ability for applicants to upload files. “Allowing uploading of files, especially PDFs, is one of the most dangerous things a system can allow,” Ullrich said, noting it could let attackers upload malware.
“These employment application databases are always targets because they have a lot of information” and many companies “collect more data than they really need,” he said.
For example, Ullrich pointed to the ICAO statement that dates of birth were stolen. “Do they really need to ask that that early in the process?”
“I hope that they have strong evidence that it was not leaked,” he said, adding that the best tactics to protect such information is to encrypt as much data as possible and implement an automated mechanism to move data off of a public environment into a closed secure environment as quickly as possible.
Ullrich also questioned the portion of the ICAO statement that detailed what had not been stolen. Given that breach reports are routinely updated and expanded, it’s much safer to say what was definitely stolen and not discuss what initially appears to have not been stolen.
Combatting these issues requires sophisticated, experienced cybersecurity talent, which “you often don’t find in these outsourced vendors” handling job application functions, Ullrich said.
Given that the data grabbed spanned more than eight years, it seems likely that it was stored for an extensive period.
He also questioned whether the attacker had actually targeted the UN agency, or whether it was just an attack of opportunity, where the attacker found holes in the third-party job application firm’s platform and was systematically going after all of its customers.
The attacker might be just “taking out sites created by this vendor,” Ullrich said. “It’s very possible that [ICAO] was not targeted, and was just caught because of someone fishing for sites with a particular vulnerability.”
