TechRadar revealed on 27 Oct that a cyber-criminal gang has published boarding-pass data stolen from Collins Aerospace, a third-party supplier of departure-control software used by Dublin and Cork airports. Dublin Airport Authority (DAA) says its own systems remain uncompromised but warns that booking references, names and Frequent-Flyer numbers for flights in August could be in the wild. Swedish carrier SAS has emailed impacted travellers.
Although no flight disruption has occurred, the incident highlights the mobility risks embedded in aviation supply chains. Compromised Passenger Name Record (PNR) data can be used to re-route itineraries, conduct phishing attacks or generate fake boarding passes—issues that threaten both traveller security and corporate travel policies.
DAA has informed the Data Protection Commission and advised passengers to watch for identity-theft signs. Under GDPR, partners handling personal travel data for EU airports must implement “appropriate technical and organisational measures”; multinationals routing staff through Dublin should seek assurances from travel-management companies that they have patched similar vendor exposures.
Longer term, the breach may accelerate discussions about mandatory cyber-resilience certification for critical airport vendors—an area where Ireland is currently aligning with the EU’s NIS2 directive.
Although no flight disruption has occurred, the incident highlights the mobility risks embedded in aviation supply chains. Compromised Passenger Name Record (PNR) data can be used to re-route itineraries, conduct phishing attacks or generate fake boarding passes—issues that threaten both traveller security and corporate travel policies.
DAA has informed the Data Protection Commission and advised passengers to watch for identity-theft signs. Under GDPR, partners handling personal travel data for EU airports must implement “appropriate technical and organisational measures”; multinationals routing staff through Dublin should seek assurances from travel-management companies that they have patched similar vendor exposures.
Longer term, the breach may accelerate discussions about mandatory cyber-resilience certification for critical airport vendors—an area where Ireland is currently aligning with the EU’s NIS2 directive.
