Air India has admitted to a massive data breach that compromised the personal data of about 4.5 million passengers.
The breach, confirmation of which comes two months after SITA’s Passenger Service System (PSS) was hacked, affected customers who registered between August 2011 and late February 2021, Air India said in a statement. Compromised data includes customers’ name, data of birth, contact information, passport information, frequent flyer data and credit card data, although CVV/CVC numbers weren’t included.
Password weren’t accessed by the hackers, Air India added, although it’s urging all customers to change their passwords as a precaution.
The airline said it first learned of the incident on February 25, but only learned the identities of affected passengers on March 25 and May 4.
“This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers,” Air India said in a breach notification sent over the weekend.
The airline said it has taken steps to ensure data safety, including “investigating the data security incident; securing the compromised servers; engaging external specialists of data security incidents; notifying and liasing with the credit card issuers, and resetting passwords of Air India FFP program.”
However, Air India customers are unlikely the only victims of the SITA hack. The company told Bleeping Computer in a statement that customers from several airlines were affected, including travelers who flew with Air New Zealand, Cathay Pacific, Finnair, Jeju Air, Lufthansa, Malaysia Airlines, SAS and Singapore Airlines.
“By global and industry standards, we identified this cyber-attack extremely quickly. The matter remains under active investigation by SITA,” the company said.
“Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories, including some personal data of airline passengers.”