Amid high rates of inflation driven by the pandemic and the Ukraine invasion, Osprey assesses that the global cost-of-living crisis will increase the insider threat to aviation operations
The threat posed by aviation insiders has long been a significant concern to the industry for a multitude of reasons. First, the access and knowledge with which employees are entrusted are vital to the smooth running of operations, yet that trust may be exploited in a variety of ways, with potential repercussions ranging from operational disruption and financial and reputational impacts, up to loss of life and assets. In addition, the difficulty of effectively detecting and addressing insider issues, particularly in larger, divisionally structured entities that depend on multiple third-party service providers – common in the aviation industry – contributes to the complexity of the issue.
In July 2021, the United Kingdom's National Crime Agency (NCA) issued an "Amber Alert" to furloughed port and airport workers warning that they might be at risk of being exploited by organised crime groups as they returned to work following the easing of COVID restrictions. According to the statement, workers with detailed knowledge of border controls, including port and airport operators, contractors, couriers and freight operators, might be particularly vulnerable to exploitation by "high-harm criminals" involved in drug smuggling, gun running, money laundering and people trafficking. The statement highlighted that such groups were likely to intensify efforts to establish new insider contacts due to the pandemic, offering workers financial incentives to provide knowledge and access to restricted areas. The statement was made just over a year after the agency's director general, Lynne Owens, issued a similar alert to haulage, freight and transport operators in the country, stating there was a "strong likelihood" that criminal organisations would try to take advantage of workers who were "more financially vulnerable as a consequence of the lockdown and loss of work" to gain insider access to facilities and networks.
Given the post-pandemic operating environment in which we now find ourselves and current economic forecasts, the threat posed by insiders is likely to increase. Record rates of inflation and the global cost-of-living crisis – exacerbated by tax increases as governments attempt to recoup losses incurred during the pandemic – are increasing aviation employees' vulnerability to manipulation by criminal networks, thereby increasing the exposure of aviation operations to criminality and security threats. The individuals on whom the aviation industry depends for the continuity of operations and to secure facilities, people and assets, such as security screeners, ground handlers and cleaners, are likely to be most heavily impacted by the current economic crisis given the typically low salaries attracted by such roles. Yet these are the individuals with the highest levels of security access and therefore the greatest opportunity to exploit operations. Additionally, as commercial aviation entities attempt to limit their operational costs, reductions in pay and hours and contract terminations may lead to disgruntled employees in addition to increased stress and mental health issues among the workforce. Such measures therefore have the potential to further motivate individuals to disrupt or otherwise sabotage operations or to criminally exploit them, either independently or by facilitating the activities of criminal or terrorist groups.
Types of insider threat
Insiders may be employees, contractors, consultants, agency or temporary staff – essentially anyone with privileged access or knowledge. Such individuals pose a wide variety of threats to aviation operations for various reasons, most commonly financial gain but also for more malicious purposes such as revenge against an employer or political motivations. Insiders may exploit their position to smuggle restricted items, substances or people into secure areas, share sensitive data, including details of security procedures, or facilitate the infiltration of both physical and cyber spaces with malicious entities. The following sections summarise insider threats impacting the aviation industry, offering illustrative examples extracted from Osprey's global database of aviation security incidents and highlighting the roles typically held by perpetrators.
Trafficking of drugs, precious metals, weapons and other controlled items/substances
Security and customs personnel, ground handlers, freight agents, cleaners, caterers, air crew, airport workers, etc.
The smuggling of drugs, precious metals and other controlled items and substances by aviation insiders is a global and frequently reported issue. Various methods are employed by insiders in order to evade or assist others in evading controls. For example, in India, Bangladesh and Nepal, airline employees have been detected facilitating passengers' gold smuggling attempts by substituting their international luggage tags with domestic ones to evade customs checks upon arrival. Cabin crew, catering staff and aircraft cleaners have also been detected collecting gold left on aircraft by passengers, concealing the precious metal in catering trolleys and waste bins, in their pockets and even taped to their bodies, and in August 2022, a customs officer was detected carrying gold out of Calicut International Airport (VOCL/CCJ) after it was brought into the country from Dubai by two smugglers.
Aviation workers have also used a variety of methods to exploit operations to smuggle narcotics. Notably, drug cartels are reported to have paid insiders, likely aircraft mechanics, to conceal cocaine and heroin shipments in the secure electronics bays of aircraft arriving in the New York area from Latin America and the Caribbean. Baggage handlers have also been reported to transfer passenger luggage containing drugs from international to domestic terminals to evade checks, and off-duty airline crewmembers in the US have been detected exploiting the Known Crewmember facility – which allows crew of certain US airlines to bypass pre-flight screening procedures – to smuggle narcotics.
Human trafficking/migrant smuggling
Immigration personnel
The facilitation by insiders of irregular migration, including human trafficking, is also a significant issue. Incidents have been identified involving immigration officials being bribed by criminal networks to allow migrants/human-trafficking victims to enter the country without checking their visas or stamping their passports. Others have been detected providing both genuine and fake travel documentation, such as residency permits and visas, and stamping migrants' passports without recording their entry into the country. In a notable incident in South Africa in June 2022, unspecified insiders were believed to have assisted four Bangladeshi and four Pakistani nationals who were caught attempting to bypass immigration controls at O R Tambo International Airport (FAOR/JNB) and enter South Africa illegally via a network of service tunnels connected to the facility's fire hydrant system.
Passenger extortion
Security screeners, immigration personnel
The bribery of passengers by aviation workers is a significant issue, particularly in West African countries as well as Latin America. Security personnel at Lagos' Murtala Muhammed International Airport (DNMM/LOS), Nigeria, are reported to have planted drugs in passengers' luggage as leverage to demand bribes, and in November 2022, immigration personnel at the facility were "redeployed" to other departments or dismissed over allegations that they had extorted passengers. Immigration personnel at major airports in Mexico were also accused of arbitrarily detaining and extorting arriving foreign passengers. Media reporting in April 2022 stated that Cuban nationals were being forced to pay up to USD 100 to avoid being illegally detained by immigration agents conducting initial passport checks at Mexicali Airport (MMML/MXL), whether they had legal travel documentation or not, with cash usually handed over inside the travellers' passports.
Theft
Baggage handlers, security screeners
Theft from passengers' luggage as well as freight and cargo by baggage handlers has been widely reported in 2022. For example, in the Dominican Republic, multiple passengers primarily arriving at Punta Cana International Airport (MDPC/PUJ) and Las Americas International Airport (MDSD/SDQ), serving the capital, Santo Domingo, complained that items had been removed from their luggage or that their bags had gone missing altogether. An investigation was launched following claims by a former agency worker that staff from the company frequently open travellers' luggage and steal personal items upon arrival in the Dominican Republic. Also, in June 2022, Portuguese police dismantled a network of airport employees at Francisco Sa Carneiro Airport (LPPR/OPO), serving Porto, who were stealing items from passengers' bags as well as from cargo shipments. One individual was found to be using a BIC mechanical pencil to open passengers' suitcases, steal valuables and close the luggage again without leaving any suspicious traces. Separately, in August 2022, a baggage handler employed as a subcontractor at Destin-Fort Walton Beach Airport (KVPS/VPS), Florida, was arrested for stealing from travellers' luggage after a passenger inserted an Apple AirTag tracking device into her luggage, which allowed local authorities to trace her stolen bag to the employee's house. Screening officers are also reported to have stolen from passengers as they pass through security checkpoints, and, in January 2022, attendants at a car park at Lagos' Murtala Muhammed International Airport were suspected of having stolen items from vehicles parked in CCTV "blind spots".
Physical attacks
Anyone with access
Insider access may be abused to conduct a physical attack against a facility, aircraft or people. Such an attack may be conducted or facilitated by a violent non-state actor (VNSA) group member who has infiltrated the facility, by an employee who has been duped, bribed, or otherwise coerced, or by a "lone wolf" with political or emotional motivations or who is suffering from mental health issues. While such incidents are rare, they are a serious concern given the potential for a catastrophic incident. Such an attack could involve the insider introducing weapons or explosives into a security restricted area, as occurred in the 2016 attack on a Daallo Airlines flight from Mogadishu's Aden Adde International Airport (HCMM/MGQ). A senior security official carried an improvised explosive device through security and handed it to a passenger, who was the only fatality of the attack claimed by the militant Islamist group al-Shabab.
In a separate example highlighting the impact of financial hardship on aviation employees, in July 2019, an American Airlines employee glued a piece of foam inside a navigation system on an aircraft at Miami International Airport (KMIA/MIA), resulting in an error message being generated and the aircraft aborting its take-off. At the time of his arrest, he was reportedly upset and suffering financially due to stalled contract negotiations between the airline and unions. He claimed he did not intend to cause any harm, but rather to delay the flight to provide overtime work for himself – work he subsequently did. In March 2020, he was sentenced to three years' imprisonment after pleading guilty to sabotaging the aircraft. No evidence was found of any terrorist links after allegations of such connections had arisen in September 2019.
More recently, in July 2022, German federal police and state security launched an investigation into three employees of a company commissioned by the operator of Dusseldorf Airport (EDDL/DUS) and an airline after a photo was shared on social media showing the three individuals in an airside area of the airport displaying a hand gesture known to be a "salute" associated with the extremist Islamic State (IS) group.
Cyber attacks
Anyone with access
As the industry becomes ever more reliant on technology for every aspect of operations, exposure to cyber security incidents in aviation, including data theft and operational disruption, have also increased. From an insider threat perspective, concerns include the use of systems access to steal data – potentially including confidential or sensitive customer and employee documents – as well as the provision of access to third parties and the introduction of malware into a company's network via an external storage device such as a USB drive. Employees may be bribed or extorted in order to facilitate or conduct such an attack, and recently dismissed and disgruntled employees may use their network access before their credentials are revoked as part of the termination process. An example of such an incident occurred in 2020, when a 26-year-old former instructor of a flight training school in Florida accessed the school's systems after her father was dismissed from the company and changed the status of aircraft that had been flagged due to maintenance issues, essentially clearing them for flight.
Conclusion
While the threat posed by insiders to aviation operations is a long-term concern, the current economic crisis and associated operational cut-backs and other economic measures are likely to significantly increase financial hardship and potentially foster negative intent among staff, increasing the potential for criminal activity and attacks conducted by employees. Osprey therefore recommends that airlines, airports, agencies and other companies that operate in the aviation environment ensure that appropriate procedures are established to manage the threat. ICAO has developed its Insider Threat Toolkit to assist aviation organisations in mitigating the threat. It includes information on implementing background checks and vetting procedures, training and awareness, and reporting mechanisms. Osprey also closely monitors the industry for insider incidents, providing up-to-date data via its system and in-depth analysis to clients via our alerts.
