Air India data breach: What exactly happened?
Data belonging to around 45 lakh Air India customers was leaked in a massive breach of its data processor in February. The airline made this information public on May 21, nearly three months after it was first informed of it. Data including the credit card information, passport details, and phone numbers of the customers was compromised. Here's everything you should know about it.
Air India was first notified of data breach in February
In an email to customers, Air India said that SITA PSS, the data processor responsible for storing and processing the personal information of passengers, was recently subjected to a cyberattack. The Indian national carrier said that it received the first notification from the data processor on February 25, but it got the identities of affected customers only on March 25 and April 5.
What's SITA PSS? Were other airlines affected too?
SITA PSS (Passenger Service System) is an American company that operates the Horizon Passenger Service System for airlines. SITA said that the breach affected several international airlines which don't use SITA's PSS but whose frequent flier data passes through it.
SITA could access all Star Alliance members' frequent flier data
Since Air India is a Star Alliance member and a SITA customer, the latter had access to frequent flier program data for all 26 Star Alliance member airlines. Star Alliance members affected by the SITA breach include Singapore Airlines, Finnair, Air New Zealand, Lufthansa, Aegean Airlines, and British Airways. Singapore Airlines confirmed that although it isn't SITA's client, 5,80,000 KrisFlyer members have been affected.
Besides Star Alliance, One World group of airlines also affected
Due to SITA's PSS system, One World airlines such as Malaysian Airlines, Japan Airlines, Cathay Pacific, and Ibera have also acknowledged that their frequent flier program data was affected in varying degrees. The frequent flier program data reportedly doesn't include financial information.
Customer data gathered over 10 years was breached in attack
The Air India breach exposed personally identifiable information of customers who registered between August 26, 2011, and February 3, 2021. The data included each customer's name, date of birth, contact details, passport information, ticket information, Star Alliance and Air India frequent flier data (excluding passwords), and credit card data. However, the saving grace is that Air India didn't store the CVV/CVC numbers for cards.
British Airways, EasyJet suffered similar breaches in recent years
In 2020, British Airways was fined £20 million for failing to protect the personal data of four lakh customers in a 2018 cyber attack. In a similar incident last year, hackers accessed emails and travel details of around 90 lakh EasyJet customers.
Air India has launched investigation, taking steps to secure data
The aforementioned personal details of the fliers were compromised in a "highly sophisticated" attack. The attack reportedly targeted a Geneva-based passenger system operator called SITA that manages data for the Star Alliance of airlines including Singapore Airlines, Lufthansa, United, and Air India. Air India has launched an investigation. It has also taken steps to secure the compromised servers and engage external data security specialists.
Air India is encouraging customers to change passwords wherever applicable
Additionally, the airline has contacted card issuers and reset the passwords for its frequent flier program. Air India has also encouraged customers to take remedial action and change passwords wherever applicable. The breach is significant since civil servants and government top brass usually fly Air India. This could potentially escalate into a matter concerning national security if it isn't handled with care.