India’s flagship airline Air India announced that the personal data of about 4.5 million passengers were stolen in a security breach. The breach affected all Air India’s passengers’ personal data that was registered on IT regulator SITA between August 26, 2011, and late February 2021.
“This is to inform that SITA PSS, our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers,” Air India wrote in a breach notification.
The compromised data included customers’ names, date of birth, contact information, passport information, credit card data, and Star Alliance and Air India frequent flyer data. The Indian airline assured that credit card CVV/CVC numbers were not revealed to hackers, as Air India’s data processor is not holding such information. Additionally, the air carrier advised all affected customers to change their passwords.
In a statement, India’s national air carrier said it first learned about the data incident on February 25, 2021. However, passengers were notified about the data leak much later, as the identities of affected travelers were learned only on March 25, 2021, and May 5, 2021.
Following the cybersecurity breach, Air India said it took all immediate measures to ensure the safety of data: the airline began an investigation on the aforementioned data leak, started securing compromised servers, notifying and liaising with the credit card issuers.
Air India is not the only airline that has suffered a cybersecurity breach on SITA in late February 2021. Other SITA customers, including Finnair, Japan Airlines, All Nippon Airways (ANA), Lufthansa (LHAB) (LHA), Malaysia Airlines, Air New Zealand, Singapore Airlines (SIA1) (SINGY), United Airlines, and American Airlines (A1G) (AAL) also suffered security breaches.
“After confirmation of the seriousness of the data security incident on February 24, 2021, SITA took immediate action to contact affected SITA PSS customers and all related organizations,” read SITA’s statement written on March 4, 2021.
