SITA, an IT company providing IT and telecommunication services to the air transport industry, has revealed it recently suffered a major cyber attack that compromised information belonging to several airline companies.
In a press release it published today, SITA said that it suffered the cyber attack on February 24 which involved hackers targeting its US-based server that stored personal data records of a large number of flyers.
SITA is one of the largest aviation IT companies in the world, serving around 90% of airlines globally and helping them to manage reservations, ticketing, and aircraft departures via Horizon, its in-house passenger service system.
“SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers. Passenger Service System (US) Inc. (“SITA PSS”) operates passenger processing systems for airlines.
“After confirmation of the seriousness of the data security incident on February 24, 2021, SITA took immediate action to contact affected SITA PSS customers and all related organizations,” the company said. SITA has started notifying several airlines like Malaysia Airlines, Finnair, Singapore Airlines, and Jeju Air about this breach.
Singapore Airlines, though not a direct customer of SITA, had to share a "restricted" set of data as a member of the Star Alliance group, another member of which also used the SITA system. As a result, the security breach suffered by SITA led to the compromise of data belonging to 580,000 Singapore Airlines' frequent flyer members. The airline said that the sharing of this ‘restricted’ set of data was necessary to validate membership tier status and provide customers with other relevant benefits.
“One of the Star Alliance member airlines is a SITA PSS customer. As a result, SITA has access to the restricted set of frequent flyer programme data for all 26 Star Alliance member airlines including Singapore Airlines,” it said.
Singapore Airlines also confirmed that compromised data was limited to the membership number and tier status, and in some cases, the name of members of its KrisFlyer higher tier PPS frequent flyer programme.
“Specifically, this data breach does not involve KrisFlyer and PPS member passwords, credit card information, and other customer data such as itineraries, reservations, ticketing, passport numbers, and email addresses as SIA does not share this information with other Star Alliance member airlines for this data transfer,” the airline added.
In an emailed response to ZDNet, a SITA spokesperson did not mention the exact date of when the breach was discovered internally, owing her refusal to "tactical and security reasons". She did, however, say that the company is presently investigating the breach. The spokesperson also did not state how the company's systems were infiltrated by hackers.
This is the second such breach reported in the aviation industry this week. On Thursday, it came to light that Malaysia Airlines suffered a massive data breach that compromised the personal data records of its frequent flyer customers over a period of nine years. Fortunately, the breach did not expose any passwords, Enrich member's itineraries, ticketing, reservations, or any ID card or financial information.
Commenting on the breach suffered by SITA, Brian Higgins, security specialist at Comparitech.com, told Teiss that thankfully, the perpetrators of this breach didn’t seem to have accessed any personal data other than names and membership numbers. Whilst this will still be a concern for those customers involved, SITA appears to have a robust incident response plan in place for their protection. The vital take-away for operators here is that your supply-chain needs just as much protection as your core business.
“Data-sharing is a fundamental part of the modern business practice but any enterprise should require and validate data security protocols for all of their suppliers, subsidiaries, and any other associated companies. A breach in the chain can happen anywhere but if it’s your chain, it’s your reputation,” he added.