Sunwing Airlines, Canada's largest leisure airline carrier, experienced a catastrophic operational meltdown in April 2022 following a cyberattack on third-party booking and passenger management systems. The attack, which affected the airline's ability to process check-ins and manage bookings for several days, stranded thousands of passengers at airports across Canada and forced the cancellation of hundreds of flights. The incident demonstrated the vulnerability of critical transportation infrastructure to third-party cybersecurity failures.
What Happened
Beginning April 9, 2022, Sunwing Airlines passengers attempting to check in for flights encountered system outages. The airline's booking systems, check-in platforms, and passenger management systems became unavailable, preventing staff from processing passengers and generating boarding documentation. Investigation revealed that a third-party provider supplying critical booking and passenger management systems had suffered a cyberattack.
The third-party provider, which served multiple airline clients across North America, had been compromised by threat actors who deployed ransomware affecting customer-facing systems. Sunwing was among the most severely impacted providers due to its dependence on the provider's systems for critical operational functions. The airline had limited ability to function manually, as decades of operational transition to digital systems had eliminated paper-based backup processes.
Scope and Impact
At its peak, the outage affected approximately 6,000 passengers per day attempting to travel on Sunwing flights. The airline was forced to cancel hundreds of flights across its network, affecting routes to popular vacation destinations in the Caribbean, Mexico, and Central America. Passengers already at airports were stranded, unable to board flights due to system failures. Others were unable to complete online check-in or contact the airline to reschedule flights.
The outage persisted for approximately 48 hours before the third-party provider could restore systems. During this period, Sunwing attempted to restore service through manual processes, but the scale of operations made this largely impossible. Thousands of passengers missed vacation flights, whilst others faced significant delays in reaching their destinations. The airline industry was forced to activate emergency protocols to reroute passengers and coordinate with other carriers.
Customer Impact and Consequences
Sunwing passengers experienced significant disruption, financial losses, and inconvenience. Families missed vacation travel during peak spring break periods. Customers who had prepaid for travel were unable to use bookings due to system failures. Some passengers were stranded overnight in airports without accommodation support. The incident raised serious questions about passenger protection requirements and whether airlines maintain adequate contingency plans for third-party system failures.
Sunwing also faced significant reputational damage and financial consequences from the incident. The airline was required to arrange alternative transportation for stranded passengers, provide meal allowances, and in many cases offer refunds. The incident triggered regulatory scrutiny from aviation authorities regarding contingency planning requirements for critical systems.
Third-Party Provider Response
The third-party provider that was directly attacked engaged incident response teams and worked to restore systems. However, the provider's limited communication to customer airlines during the incident was criticised. Many Sunwing passengers and employees were unaware for hours about the cause of the outage or expected timeline for restoration. The provider eventually restored systems but did not disclose detailed information about the attack or lessons learned.
Sunwing's Response
Following restoration of systems, Sunwing Airlines implemented several response measures:
- Offered refunds and compensation to affected passengers as required by airline regulations
- Conducted comprehensive review of third-party provider contracts and service level agreements
- Enhanced contingency planning to develop manual backup processes for critical functions
- Diversified third-party provider dependencies to reduce reliance on single suppliers for critical systems
- Implemented additional backup systems and redundancy for passenger management functions
- Established stricter information security requirements for all third-party service providers
Lessons Learned
The Sunwing Airlines incident provides critical lessons for transportation companies and organisations dependent on third-party service providers. First, organisations must conduct rigorous due diligence on third-party providers' cybersecurity practices and maintain updated assessments of their security posture. A breach at a provider can have impacts equivalent to a breach of the organisation itself.
Second, critical infrastructure organisations must maintain contingency plans that do not depend entirely on digital systems. The airline's inability to function manually during the outage demonstrated the risks of complete digitalisation without backup capabilities. Key processes should include documented manual procedures that can be activated during system outages.
Third, service level agreements with critical providers should include specific security requirements, incident response timelines, and communication protocols. Providers must be contractually obligated to maintain minimal service levels and communicate proactively during incidents affecting customers.
How CyberSafe Can Help
CyberSafe's Third-Party Risk Assessment Services evaluate the security practices and incident response capabilities of critical service providers. Our Cyber Defense Services help organisations implement redundancy and backup systems for critical functions. Through Managed Security Services, we provide continuous monitoring of third-party systems and rapid incident detection to minimise operational disruption.