India’s national carrier Air India has confirmed that a cyber attack targeting SITA’s Passenger Service System (PSS) in February compromised the detailed personal information of millions of its customers.
Via a notification posted on its website, Air India said that the data breach, which compromised the data of around 4.5 million customers, was related to the SITA PSS security incident that affected major airline companies globally. As per the notification, the security breach affected more than 4.5 million passengers who registered with the airline between 26th August 2011 and 3rd February 2021.
The leaked information included names, dates of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data. Air India has, however, clarified that no passwords were leaked and credit card details and CVV numbers were not stored in the affected server.
The carrier was first notified about the security breach by SITA PSS on February 25 and was subsequently notified about the identity of the affected data subjects on March 25 and April 5. “The present communication is an effort to apprise of accurate state of facts as on date and to supplement our general announcement of 19th March 2021 initially made via our website,” Air India said.
Air India added that it is investigating the security incident and has already taken measures to secure the compromised servers. It has also brought in cyber security experts to analyse the situation and has notified organisations that issued the credit cards. Furthermore, it has encouraged all passengers to change the passwords of their Air India accounts.
“While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data. The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate continued support and trust of our passengers,” it added.
SITA is one of the largest aviation IT companies in the world, serving around 90% of airlines globally and helping them to manage reservations, ticketing, and aircraft departures via Horizon, its in-house passenger service system. The company suffered a major cyber attack on February 24 which involved hackers targeting its US-based server that stored personal data records of a large number of flyers.
The breach suffered by SITA also affected Singapore Airlines which, though not a direct customer of SITA, had to share a “restricted” set of data as a member of the Star Alliance group, another member of which also used the SITA system. As a result, the security breach suffered by SITA led to the compromise of data belonging to 580,000 Singapore Airlines’ frequent flyer members. The airline said that the sharing of this ‘restricted’ set of data was necessary to validate membership tier status and provide customers with other relevant benefits.
Commenting on the massive breach impacting 4.5 million Air India flyers, Jeremy Hendy, CEO at Skurio, says that Air India’s involvement in this SITA supply chain attack shows that no matter how good your own network security, someone else may lose your data and bad actors are ready to exploit this. Other organisations which partner with SITA should initiate monitoring for breaches of their customer data as a result.
“Businesses should continually review security and processes with their suppliers; requiring ISO certification and clearly documented standards as a minimum. Watermarking data can help companies to identify third-party breaches faster and enable them to take action sooner.
“Organisations must constantly scan for leaked documents outside the enterprise perimeter, including connected storage, open databases, cloud applications, and the Dark Web to uncover confidential and sensitive data quickly, before it is exploited,” says David Sygula, Senior Cyber Security Analyst as CybelAngel.
“The legal and regulatory consequences of leaked data often include fines, penalties, and damage to reputation, which drives up customer acquisition costs and decreases lifetime customer value. Similarly, shareholder value can take years to recover, if ever”.