As for many companies in the aviation industry, the summer of 2022 was marked by extreme challenges for Eurowings GmbH: the pandemic, the tense situation at many airports, and the war in Ukraine, to name just the biggest. Eurowings has recognized that it is all the more important, especially in these difficult times, not to lose sight of information security issues. Because it is precisely at this time that cyber attackers sense opportunities to harm companies - and as an airline, Eurowings is particularly in the spotlight. Inadequate information security can not only lead to enormous economic damage, but in extreme cases can even endanger human lives. In order to protect itself against attacks in the best possible way, Eurowings operates a professional information security management system (ISMS), for which the company is seeking ISO/IEC 27001:2013 certification. To protect the payment card data of its customers, Eurowings also has itself certified annually in accordance with the Payment Card Industry PCI DSS security standard. Two teams with experts from usd AG supported Eurowings in both security certifications.
In March 2022, the project to prepare for the ISO/IEC 27001:2013 certification for the area of Ground Operations as well as all supporting processes, such as IT and purchasing, started. The usd team, led by Andrea Rupprich, provided support here until the successful certification in September 2022 - and beyond.
The PCI DSS certification project started under the leadership of usd's Lead Auditor Tobias Weber in May 2022 and was successfully completed in December of the same year with an official confirmation of compliance with PCI DSS v3.2.1.
In addition to the certification project, the PCI DSS consulting project led by Ahmad Najim Quraishi started in August 2022. As part of this project, he supported Eurowings as an internal PCI Officer in the run-up to the implementation of payment security measures.
"Information security in our group and the security of our customers' data are our top priorities. The satisfaction of our internal and external partners and service providers is only one of the reasons why usd is the right partner for us."
Mehtap Secilmis, ISO of Eurowings Group
Information security management system: not a one-size-fits-all solution
In the aviation industry, where a wide range of data such as passenger information and flight schedules are processed, compliance with ISO 2700x standards is essential to ensure data confidentiality, integrity and availability. By implementing ISO 27001 measures, aviation companies like Eurowings can ensure that their IT systems and processes meet the highest security standards and minimize the risk of cyberattacks, data breaches and other security incidents.
Eurowings had already achieved a good level of maturity in its information security measures at the start of the project. Important framework conditions, such as information security policies, had already been established by the parent company Lufthansa.
In order to meet the requirements of ISO/IEC 27001:2013, the project team's goal was to further sharpen the ISMS processes at Eurowings and to increase the respective implementation maturity and transparency of the processes. In implementing the security requirements specified by the parent company, the usd ISMS team took into account the special features and individual needs of Eurowings - because there cannot be a "one-size-fits-all" solution for a well-functioning ISMS.
Engagement and communication at eye level: Eurowings Ground Operations
The usual business operations of Eurowings' Ground Ops division slowly resumed at the start of the project. Despite various challenges for the operational business resulting from the pandemic, the area under Kathrin Wester, Head of Station Management at Eurowings, was extremely receptive and committed to information security topics. The task of the usd ISMS team to intensively involve the responsible persons and contact persons of the Ground Ops area in the ISMS processes was thus easily fulfilled.
"We are all experiencing unusual times that have presented us with previously unknown challenges in our operational business. This makes it all the more important for us to emerge stronger from this crisis situation and not lose sight of cyber security issues. My team and I gratefully accept the suggestions and the exchange with the usd experts and will of course support their implementation with all the capacities at our disposal."
Kathrin Wester, Head of Station Management at Eurowings
"Right from the start, communication with all contact persons at Eurowings was at eye level, professional and solution-oriented. It was very clear that all stakeholders were strongly behind the project: Starting with the management, through the head of Ground Operations, to all other involved parties, the implementation of security measures was always carried out pragmatically and without bureaucratic obstacles."
Andrea Rupprich, Managing Security Consultant at usd AG
All employees of a company play an important role in information security management. For this reason, the usd ISMS team promoted new awareness and communication measures on information classification and other important information security topics for the management, the heads of the airport stations and all employees. The team also supported internal audits at headquarters and the relevant sites in an advisory capacity.
"The great thing about working with Eurowings is that we keep learning a lot from each other. We learn about Eurowings' processes and the IT systems at their stations and headquarters. And Eurowings, in return, learn what is important in information security. In this way, we were able to jointly develop good approaches that are feasible for all parties involved, effectively improve measures and already set up a plan for the next few years."
Wienke Schumacher, Senior Security Consultant at usd AG
PCI DSS: Protection against theft and misuse of payment card data
Especially for airlines that offer online reservations or the sale of airline tickets over the Internet, compliance with the PCI DSS standard is essential to protect sensitive customer data such as credit card information. By implementing PCI DSS measures, airlines like Eurowings can ensure that their customers' data is protected from unauthorized access in the best possible way.
As part of the project, Eurowings, with the support of usd, first ensured that all relevant PCI DSS security requirements were implemented in the company and that their maintenance was stringently tracked. In addition to optimizing processes and guidelines, Ahmad Najim Quraishi as PCI Compliance Officer accompanied and carried out risk assessments, training measures, hardening measures and technical security analyses for this purpose:
- Implementation of risk management processes to identify and minimize potential risks in advance
- Service provider management measures for risk assessment of external service providers
- Incident response training to teach employees how to respond quickly and appropriately in the event of an attack
- Secure coding training for developers with suggestions on how the security aspect can already be integrated into the development cycle of applications
- Evaluation of deployed tokenization solutions to ensure the security of payment processes
- Support for migration to Azure Cloud and evaluation of security check results to ensure IT security in the cloud as well
- SIEM Splunk gap analysis to identify and close potential security monitoring gaps
- PCI DSS penetration tests of the website and infrastructure, vulnerability and ASV scans including technical support and monitoring
"We consider the successful certification against PCI DSS to be the result of Eurowings' commitment to the security of payment card data. Thanks to their comprehensive preparation and constructive cooperation, we were able to successfully complete this complex certification on time. We greatly value our partnership with Eurowings and are proud of what we have achieved together."
Tobias Weber, Managing Consultant at usd AG
Continuous improvement is essential - usd remains a partner
usd will remain a partner for information security to Eurowings beyond the completion of the certifications. Ahmad Najim Quraishi will continue to support Eurowings as an internal PCI Compliance Officer in complying with security requirements in the area of payment security. The usd ISMS team will also continue to support Eurowings.
"Information security is never complete, but always a process of constant testing and improvement. My colleagues from the ISMS team and I will draw on our combined expertise to always provide Eurowings with a holistic perspective on their security level."
Ahmad Najim Quraishi, Managing Consultant at usd AG
"Continuous improvement is an essential part of information security and compliance. This means that our work with the teams at usd AG continues seamlessly after the successful certifications. We are pleased that we can continue to count on usd's support in maintaining and improving the measures."
Mehtap Secilmis, ISO of Eurowings Group
About Eurowings
Eurowings is the Lufthansa Group’s low-cost airline and, as such, part of the world’s largest aviation group. Eurowings has a current fleet of 139 aircraft and specialises in low-cost direct flights within Europe. The German airline currently offers more than 100 destinations in over 50 countries, making it the third-largest European point-to-point carrier. In 2018 for the first time, the airline flew more than 40 million passengers and its workforce grew to around 3,500 employees. The low-cost airline has 13 locations in Germany as well as in other European countries and is the market leader at six airports.