Anuvu, a leading in-flight entertainment and connectivity (IFEC) service provider for airlines and maritime operators, is investigating claims of a cyberattack that allegedly exposed sensitive customer data, including details linking clients to Starlink services. The incident was disclosed on a popular data leak forum where attackers shared samples of what they claimed to have stolen.
The breach raises concerns for major airlines and maritime partners, as Anuvu counts global carriers such as Air France, Delta, Southwest, and British Airways among its clients.
Source: Cybernews
Attackers Claim Access to Databases and Credentials
The attack was first publicized by threat actors on a data leak forum commonly used to trade stolen information. According to the forum post, the attackers claim to have obtained administrator-level credentials granting access to Anuvu’s AWS and Postgres databases.
The Cybernews research team examined the data samples shared online and concluded they appear legitimate. The stolen information reportedly includes a significant set of sensitive records tied to both Anuvu employees and customers.
Prior to 2021, Anuvu operated under the name Global Eagle. Today, the company employs roughly 1,000 people and reports an annual revenue of $370 million, servicing more than 150 airlines and 30 cruise-line customers worldwide.
Sensitive Data Reportedly Exposed in the Attack
The leaked dataset appears to contain multiple categories of sensitive information:
- Customer information: Screenshots suggest the exposure of maritime customers, complete with company names, Salesforce identifiers, and business categories.
- User credentials: Full names, email addresses, hashed passwords, and physical addresses were included. Many of the records date back to 2024.
- Manager details: Names of Anuvu managers and company-linked email accounts were visible in the exposed logs.
- Starlink-related records: Contract lines, order identifiers, and service line identifiers connected to Starlink services were revealed. These suggest Anuvu’s procurement of Starlink connectivity and indicate which end customers were provisioned through those services.
As one researcher explained:
“Logins are probably used for a customer-facing dashboard of some sort, since there is a mix of employee and customer logins here. Some physical addresses match office locations. People mentioned here seem legit as well.”
Risks Posed by the Alleged Data Leak
The presence of customer credentials represents the most immediate risk. Even though many records appear to originate from 2024, reused or slightly altered passwords remain a common problem.
Cybersecurity analysts warn that attackers may exploit the leaked data in several ways:
- Credential stuffing attacks: Using the stolen usernames and passwords across multiple platforms to gain unauthorized access.
- Targeted phishing campaigns: Crafting convincing emails tailored to Anuvu customers and partners, potentially leading to further compromise.
- Client profiling: Leveraging exposed Salesforce identifiers and other corporate details to build reconnaissance profiles of Anuvu’s partners.
The linkage of customer accounts to Starlink service usage also adds a new dimension, potentially exposing partners that relied on Anuvu as an intermediary for satellite connectivity.
Business Impact on Airlines and Maritime Partners
With its global portfolio of airline and cruise-line partners, Anuvu’s position as a service provider amplifies the potential ripple effects of this attack. Airlines such as Delta, Air France, and British Airways rely on its inflight connectivity services, while maritime operators depend on its technology for communications at sea.
Any compromise of Anuvu systems could affect the confidentiality of corporate data and raise concerns about continuity of service. While no evidence has surfaced yet that systems used to deliver inflight connectivity were disrupted, the reputational impact could be significant for both Anuvu and its partners.
At the time of writing, Anuvu has not released an official statement regarding the breach. The company has been contacted for comment, and updates are expected as the investigation develops.
