Aviation's Cyber Blind Spot: Why the Industry Gathering in Rio Has a Security Problem It Is Not Talking About Loudly Enough

THREAT INTELLIGENCE BRIEF | THE CYBERDIPLOMAT | JUNE 4, 2026

As the world's airline chiefs convene in Rio de Janeiro for the 82nd IATA AGM, the Embraer story serves as a pointed reminder that the aviation sector's digital transformation is running ahead of its cyber defences — and that encryption, compliance, and export controls are the fault lines executives are least prepared for.

The Backdrop

Rio de Janeiro this week becomes the temporary capital of global aviation. More than 370 airlines, airport operators, technology leaders, policymakers and investors will gather under the IATA banner to debate sustainability, AI, slot coordination, financial infrastructure and Brazil's aviation potential. The agenda is ambitious. The setting is symbolic. And quietly sitting behind nearly every item on the programme is a question that rarely gets the main stage it deserves: how secure is the digital infrastructure holding all of this together?

The answer, based on available evidence, is: not secure enough.

The Embraer Precedent — And What It Really Exposed

Embraer, Brazil's aerospace crown jewel and the world's third-largest commercial aircraft manufacturer, has lived through this lesson firsthand. The company suffered a significant ransomware attack that forced the shutdown of large portions of its server infrastructure, compromised backup systems, and resulted in the exfiltration and public disclosure of sensitive company data. Employees were initially told it was a system glitch. It was not.

But beyond the immediate operational disruption, the Embraer incident illuminated a structural vulnerability that goes far deeper than ransomware — and one that is particularly acute for aerospace companies: the intersection of cybersecurity and encryption export and import controls.

Embraer operates at the nexus of commercial aviation, military aircraft production, and advanced defence technology. Through its subsidiary Atech and its investment in encryption firm Kryptus — which provides cryptographic systems to the Brazilian military, intelligence services, and several South American defence forces — Embraer handles technology that is subject to strict export and import licensing regimes across multiple jurisdictions. The US Export Administration Regulations, Brazil's own defence export framework, and increasingly China's Export Control Law all impose classification, licensing, and reporting obligations on encryption products and dual-use technology.

When a company operating in this environment suffers a breach, the consequences are not limited to customer data or operational downtime. The exposure of encryption keys, cryptographic algorithms, or technology subject to export controls can constitute a regulatory violation in its own right — regardless of whether the company was the victim. The breach becomes a compliance event as well as a security event, with potential sanctions exposure, licence revocations, and mandatory disclosures to multiple government authorities across jurisdictions.

This is a risk that most aviation sector executives have not fully mapped. And the IATA AGM in Rio is an opportunity to change that.

Why Rio Makes This Conversation Urgent

The timing of this year's AGM is significant for reasons beyond ceremony. IATA's own cybersecurity fact sheet — released ahead of the Rio summit — acknowledges that the industry's digital transformation now spans corporate systems, connected aircraft, ground infrastructure, electronic flight bags, cloud operations, and AI-driven decision-making. IATA is establishing several new aviation cybersecurity expert groups in 2026, focused on industry coordination, regulatory monitoring, innovation and crisis response.

That is progress. But it sits against a threat environment that is accelerating faster than the governance frameworks being built to address it. Cyberattacks against airlines, airports, and air traffic management systems rose by 131% between 2022 and 2023 alone. The AGM's technology session will ask whether AI is living up to its promises for airlines — a legitimate question. The more pressing question is whether airlines and aviation manufacturers understand that AI also expands their cyber risk surface in ways that existing security architectures were not designed to handle.

Brazil adds a specific dimension. IATA's financial settlement systems processed $492.4 billion in 2025, with the Billing and Settlement Plan alone handling $242.3 billion across more than 180 countries. Brazil's aviation sector supports 2.1% of the country's GDP and 1.9 million jobs. The concentration of financial flows, sensitive operational data, and strategic industry intelligence that passes through IATA's systems — and through the networks of its member airlines — makes the global aviation ecosystem one of the most valuable targets in the world for state-sponsored and financially motivated threat actors alike.

The CyberDiplomat's Assessment

Three issues deserve direct executive attention as the Rio agenda unfolds.

1. Encryption compliance is an aviation problem, not just a defence problem

The line between commercial aviation technology and dual-use or defence-applicable technology is increasingly blurred. Modern aircraft avionics, air traffic management systems, secure communications infrastructure, and airline operational technology all involve cryptographic components subject to export control regimes. Airlines and manufacturers that have not audited their technology supply chains for encryption compliance exposure are sitting on an unquantified regulatory liability. A breach that exposes controlled cryptographic technology does not just trigger an insurance claim — it can trigger a government investigation.

2. SAF and sustainability investment is creating new third-party attack surfaces

The Rio agenda places significant emphasis on sustainable aviation fuel and Brazil's potential as a SAF production hub, with sessions featuring Petrobras and Acelen Renewables. As airlines deepen commercial and data-sharing relationships with energy companies, agricultural technology providers, and sustainability platforms, they are extending their digital perimeter into sectors with materially weaker cybersecurity postures. Every new partnership in the SAF supply chain is a potential entry point for an attacker. Executives signing sustainability partnerships should be asking for security assessments with the same rigour they apply to financial due diligence.

3. The AGM itself is a high-value intelligence target

Gathering the chief executives of the world's major airlines, their financial data, strategic plans, fleet investment decisions, and regulatory positions in one location — even a well-secured conference venue — creates a concentration of sensitive information that is actively attractive to intelligence services and corporate espionage actors. Delegates should assume that the networks, devices, and communications channels they use in Rio this week are being probed. Operational security during high-profile industry gatherings is a discipline that aviation leadership has not historically prioritised. It should be.

What Executives Should Take Away From Rio

The IATA AGM will produce resolutions on sustainability, slot coordination, AI, and financial infrastructure. What it is less likely to produce — unless delegates push for it — is a binding commitment to minimum cybersecurity standards across member airlines and their technology partners.

That gap matters. IATA represents airlines accounting for 85% of total scheduled traffic. A coordinated cyberattack against the financial settlement infrastructure, or a cascading compromise moving laterally across connected airline operational systems, would not be contained by the borders of any single carrier. The systemic risk is real, and it is growing.

For business leaders in aviation and adjacent sectors, the Embraer precedent and the Rio gathering together make the same argument: cybersecurity in aviation is no longer an IT cost centre. It is a strategic risk with regulatory, financial, reputational, and national security dimensions. The companies that treat it as such — before the incident, not after — will be the ones still flying when others are grounded explaining themselves to regulators.

Bottom Line

Rio this week is about aviation's future. The Embraer story is a warning about what happens when the sector's ambitions outpace its security posture. The two conversations belong in the same room. Whether they get there is a question of leadership.