Hackers have stolen data on about 4.5 million Air India passengers around the world in the latest breach reported by a major airline. Names, credit card numbers and passport information were among the data stolen, Air India said in a statement released late Friday.
Ten years’ worth of Air India customer data including credit cards, passports and phone numbers have been leaked in a massive cyber-attack on its data processor in February, the airline has announced.
The incident has affected around 45 lakh customers registered between 26th August 2011 and 3rd February 2021, Air India said, disclosing the scale of the breach nearly three months after it was first informed of it.
Names, date of birth, contact information and ticket information have also been compromised in the ‘highly sophisticated’ attack that targeted Geneva-based passenger system operator SITA that serves the Star Alliance of airlines including Singapore Airlines, Lufthansa and United besides Air India.
“SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world,” Air India said in an email to customers.
“While we had received the first notification in this regard from our data processor on 25.02.2021, we would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25.03.2021 and 5.04.2021,” it added.
“The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data. However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor,” the airline said.
Air India said it had launched an investigation into the incident and took steps including securing the compromised servers, engaging external specialists of data security incidents, contacting credit card issuers and resetting passwords of its frequent flyer programme.
“While we and our data processor continue to take remedial actions…We would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data,” it said.
SITA had publicly announced the incident first in March prompting almost a dozen different airlines including Singapore Airlines and Malaysia Airlines to inform passengers that some of their data was accessed by an intruder.
Last year British Airways incurred a 20 million-pound (over ₹ 180 crore) fine after failing to protect data that left more than 4 lakh of its customers’ details the subject of a 2018 cyber-attack.
Other major cyber incidents in the recent past include another London-listed airline, easyJet, which last year said hackers had accessed the email and travel details of around 90 lakh customers.
What is the data breach that has hit Air India customers?
Air India has notified its passengers of a data breach that occurred in February at the SITA passenger service system. The airline said the breach involved data of 45 lakh passengers being leaked.
What is SITA and how is Air India involved?
SITA is a Switzerland-based technology company specialising in air transport communications and information technology. The company was started by 11 member airlines and now has over 2,500 customers in more than 200 countries. SITA offers services such as passenger processing, reservation systems, etc.
Air India had entered into a deal with SITA in 2017 to upgrade its IT infrastructure to enable it to join Star Alliance.
At Air India, SITA also implemented an online booking engine, departure control system, check-in and automated boarding control, baggage reconciliation system and the frequent flyer programme.
What are the details of the Air India data breach?
In March, Air India had said that SITA had flagged a cyber-attack it was subjected to in the last week of February and said it led to the leak of personal data of some of the airline’s passengers.
In its notification to the affected passengers, the airline said that the cyber-attack that compromised the data of millions of passengers from across the world involved personal data registered between August 26, 2011 and February 20, 2021. It said the breached data included the passenger’s name, date of birth, contact information, passport information, ticket information, frequent flyer data and credit card information.
How did Air India respond to the incident?
Following the incident, Air India said it took a number of steps. These include securing the compromised servers, engaging external data security specialists, notifying the credit card issuers and reseting the passwords of Air India frequent flyer programmes. While Air India assured its passengers that there was no evidence of any “misuse” of the data, it said it was in talks with regulatory agencies in India and overseas and also advised the passengers to change their passwords.