This was just sent to me.
November 30, 2010
John S. Pistole
Administrator
Transportation Security Administration
601 S. 12th St.
Arlington, VA 20598
Nathan Thomas Gray
Special Agent in Charge
Federal Bureau of Investigation
201 East Indianola Avenue
Phoenix, AZ 85012
William C. Withycombe
Western-Pacific Regional Administrator
Federal Aviation Administration
15000 Aviation Blvd
Hawthorne, CA 90250
Matter: Unauthorized Access of Confidential Pilot Information at US Airways Inc.
Dear Sirs:
On behalf of the US Airline Pilots Association, I write to advise federal authorities of an apparent recent unauthorized access to computerized records of thousands of commercial airline pilots employed by US Airways, Inc. These sensitive electronic records were taken from corporate computers, and confidential information such as individual pilot passport numbers and home addresses were disclosed to unknown perpetrators. We believe the unauthorized access to this confidential information may pose a direct threat to national security, our represented pilots' safety, and their professional standing.
Background and Access of Confidential Pilot Information
The US Airline Pilots Association (USAPA) is a federally certified labor representative headquartered in Charlotte, North Carolina that represents approximately 5,000 commercial airline pilots at US Airways, Inc. US Airways, Inc. (Company) is a major domestic and international air carrier headquartered in Tempe, Arizona.
In late October of this year, thousands of USAPA-represented pilots received an unsolicited mass mailing at their individual residential addresses. The individuals addressed were pre-merger US Airways pilots, generally referred to as "East pilots" to distinguish them from the former America West pilots, termed "West pilots." The two carriers merged in 2005.
The mailings had a return address for a private limited liability corporation headquartered in Tempe, Arizona. The return address on the mailer was:
Leonidas, LLC
P.O. Box 3362
Tempe, AZ 86280
Leonidas, LLC has sponsored or funded litigation allegedly on behalf of West pilots, against both the Company and USAPA stemming from an internal union dispute over seniority terms to be incorporated in a union contract currently under negotiation. The litigation remains ongoing in the federal courts at this time.
USAPA has never voluntarily disclosed its mailing lists or databases containing pilot residential addresses, or any other confidential information. In addition, the Company reports it has not voluntarily disclosed lists or databases containing pilot residential addresses, or any other confidential information. Nevertheless, as discussed further below, we conclude that the evidence suggests that the mailing information was obtained from the Company's computer databases, which also include such confidential information as pilot passport numbers.
Union and Company Response
In the immediate aftermath of the unsolicited mailing, many affected pilots expressed deep concern that confidential information personal to them had been breached. USAPA began an investigation that included eliminating the possibility of an internal breach within the Union.
A sampling of addresses targeted by the mass mailing consistently failed to match the address database maintained by USAPA. However, that sampling did consistently match a corporate database referred to as "CAT crew," which is used to schedule East pilots for flight duty (West pilots use a different database). While USAPA representatives on the Scheduling Committee do have limited access to the CAT crew database, full access to the database is supposed to be limited to US Airways' management personnel.
USAPA then contacted the Company for assistance, beginning with a brief presentation by the undersigned to the labor committee of the corporate Board of Directors concerning the apparent security breach. USAPA subsequently supplied documentary evidence to assist the Company's investigation, which led to the conclusion -- shared by USAPA and US Airways -- that the CAT crew database was the most likely source of the mailing. The Company confirmed that unrestricted access to the CAT crew database would also indicate unrestricted access to pilot passport information stored therein.
After reaching these preliminary conclusions, however, US Airways has not provided USAPA with further information concerning the persons responsible for the security breach, but has indicated that the Company has not contacted the appropriate federal agencies. USAPA has determined that it is in the interest of its pilot-members and national security to provide the FBI and FAA with the information currently in its possession.
Evidence and Findings
Reliable evidence confirms or supports the following findings of fact:
1) That addresses and associated names of resident East pilots were obtained and used in a mass mailing by Leonidas, LLC, which was sent in late October 2010.
2) That the US Airways, Inc. "CAT crew" database, used for scheduling "East" operation pilots, was accessed without authorization sometime prior to that mailing. A comparison of mailings to addresses and names unique to the CAT crew database constitutes compelling evidence that the Company's CAT crew database was breached and is the source. This became apparent when it was discovered that pilot nicknames, which are maintained only in the Company's crew scheduling database, were utilized by Leonidas, LLC for its unsolicited mailing. Sample comparisons between the Leonidas, LLC mailing and the Company's crew scheduling database, which demonstrate this correlation, are attached as Exhibits A-D. (In addition, the Company's designated representative has reported to USAPA's attorneys that no other source is apparent and its investigation is also focused on the CAT crew database).
3) That the scope of the aforesaid unauthorized access encompasses access to the computerized records of thousands of individual pilots.
4) That the scope of the breached CAT crew database includes commercial airline pilot passport numbers as well as US Airways specific employee numbers. (The Company, through its designated representative, confirmed this to USAPA attorneys on Nov. 18, 2010, in Tempe, Arizona). The cross referencing of employee identification and passport information is one of the foundational elements of the CASS flight deck security system utilized by the major airlines in our country.
5) That corporate agents of Leonidas, LLC have refused to identify the source of addresses used in their mass mailing, either to USAPA or the Company.
Conclusions
From the above findings, we conclude the following:- There was an unauthorized access from a "protected computer" within the meaning of the Counterfeit Access Device and Computer Fraud and Abuse Act 18 U.S.C. § 1030(e)(2)(b).
- The exact scope of the breach is unknown, but unauthorized access to airline pilot passport numbers coupled with pilot residential addresses could potentially be used to forge U.S. commercial airline pilot passports, or identities, in order to gain access to international or domestic commercial aircraft or flights -- thereby posing a direct threat to our nation's security.
- Electronically Stored Information controlled by US Airways, and possibly by third parties, may indicate the time, place and manner of the breach.
Regardless of the motive, this unauthorized access to, and apparent theft of, confidential commercial airline pilot information implicates national security and other concerns that compel USAPA to make this report. If you have any questions or wish to discuss this matter further, please do not hesitate to contact me at (877) 332-3342.
Sincerely,
Capt. Michael Cleary, President
Cc: Doug Parker, CEO US Airways