(Bloomberg) — The hackers who stole data on tens of millions of U.S. insurance holders and government employees in recent months breached another big target at around the same time — United Airlines (NYSE:UAL).
United, the world’s second-largest airline, detected an incursion into its computer systems in May or early June, said several people familiar with the probe. According to three of these people, investigators working with the carrier have linked the attack to a group of China-backed hackers they say are behind several other large heists — including the theft of security-clearance records from the U.S. Office of Personnel Management (OPM) and medical data from health insurer Anthem Inc. (NYSE:ANTM).
See also: Health insurers sail into cyber marshmallow zone
The previously unreported United breach raises the possibility that the hackers now have data on the movements of millions of Americans, adding airlines to a growing list of strategic U.S. industries and institutions that have been compromised. Among the cache of data stolen from United are manifests — which include information on flights’ passengers, origins and destinations — according to one person familiar with the carrier’s investigation.
It’s increasingly clear, security experts say, that China’s intelligence apparatus is amassing a vast database. Files stolen from the federal personnel office by this one China-based group could allow the hackers to identify Americans who work in defense and intelligence, including those on the payrolls of contractors. U.S. officials believe the group has links to the Chinese government, people familiar with the matter have said.
That data could be cross-referenced with stolen medical and financial records, revealing possible avenues for blackmailing or recruiting people who have security clearances.
See also: Hey: Yes, the NAIC is talking to you
In all, the China-backed team has hacked at least 10 companies and organizations, which include other travel providers and health insurers, says security firm FireEye Inc.
The theft of airline records potentially offers another layer of information that would allow China to chart the travel patterns of specific government or military officials.
See also: What every independent agent needs to know about cybersecurity
United is one of the biggest contractors with the U.S. government among the airlines, making it a rich depository of data on the travel of American officials, military personnel and contractors. The hackers could match international flights by Chinese officials or industrialists with trips taken by U.S. personnel to the same cities at the same time, said James Lewis, a senior fellow in cybersecurity at the Center for Strategic and International Studies in Washington.
“You’re suspicious of some guy; you happen to notice that he flew to Papua New Guinea on June 23 and now you can see that the Americans have flown there on June 22 or 23,” Lewis said. “If you’re China, you’re looking for those things that will give you a better picture of what the other side is up to.”
The timing of the United breach also raises questions about whether it’s linked to computer faults that stranded thousands of the airline’s passengers in two incidents over the past couple of months. Two additional people close to the probe, who like the others asked not to be identified when discussing the investigation, say the carrier has found no connection between the hack and a July 8 systems failure that halted flights for two hours. They didn’t rule out a possible, tangential connection to an outage on June 2.
Luke Punzenberger, a spokesman for Chicago-based United, a unit of United Continental Holdings Inc., declined to comment on the breach investigation.
Zhu Haiquan, a spokesman for the Chinese embassy in Washington, said in a statement: “The Chinese government and the personnel in its institutions never engage in any form of cyberattack. We firmly oppose and combat any forms of cyberattacks.”
United may have gotten help identifying the breach from U.S. investigators working on the OPM hack. The China-backed hackers that cybersecurity experts have linked to that attack have embedded the name of targets in web domains, phishing e-mails and other attack infrastructure, according to one of the people familiar with the investigation.