Air India disclosed a data breach after personal information belonging to roughly 4.5 million of its customers was leaked two months following the hack of Passenger Service System provider SITA in February 2021.
The Indian national carrier first informed passengers that SITA was the victim of a cyberattack on March 19.
“This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers,” Air India said in a breach notification sent over the weekend.
“This incident affected around 4,500,000 data subjects in the world.”
The airline added that the breach impacted the data of passengers registered between August 2011 and February 2021.
Nevertheless, after investigating the security incident, it was found that no credit card information or password data was accessed during the breach.
However, Air India urges its passengers to change their credentials to block potential breach attempts and ensure their data security.
“The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data,” Air India added [PDF].
“However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor.”
The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate the continued support and trust of our passengers. — Air India
Data breach impacts Star Alliance members
Almost a dozen more air carriers besides Air India informed passengers that some of their data was accessed during a breach of SITA’s Passenger Service System (PSS), which handles transactions from ticket reservations to boarding.
SITA also confirmed the incident saying that it reached out to affected PSS customers and all related organizations in early March.
At the time, a SITA spokesperson told BleepingComputer that the breach impacts data of passengers from multiple airlines, including:
- Lufthansa – combined with its subsidiaries, it is the second-largest airline in Europe in terms of passengers carried; Star Alliance member and Miles & More partner
- Air New Zealand – flag carrier airline of New Zealand
- Singapore Airlines – flag carrier airline of Singapore
- SAS – Scandinavian Airlines (disclosure here);
- Cathay Pacific – flag carrier of Hong Kong
- Jeju Air – the first and largest South Korean low-cost airline
- Malaysia Airlines – flag carrier airline of Malaysia
- Finnair – flag carrier and largest airline of Finland
Some of these air carriers (including Air India) are part of the Star Alliance, a global airline network with 26 members, including Lufthansa, the largest in Europe.
Star Alliance told BleepingComputer that its members also share customer details relevant to awarding traveling benefits.
The information is limited to membership names, frequent flyer program membership numbers, and program tier status.