Three months after air transport data giant SITA reported a data breach, we still learned about the damage. Air India said this week that the personal data of about 4.5 million passengers had been compromised following the incident at SITA, the Indian flag carrier airline’s data processor. The stolen information included passengers’ names, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data, Air India said in a statement (PDF).
According to Air India, CVV/CVC data of credit cards were not held by SITA, as it urged passengers to change passwords “wherever applicable to ensure the safety of their personal data.”
The attack compromised data of passengers who had registered with the Indian airline over the past decade, between August 26, 2011, and February 3, 2021, Air India said in a statement.
The revelation comes months after SITA said it had suffered a data breach that involved passenger data. At the time, SITA said it had notified several airlines — Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa — of the breach.
The Geneva, Switzerland-headquartered firm — which is said to serve 90% of the world’s airlines — had declined to reveal the specific data that had been compromised at the time of disclosure in early March, citing an investigation — which is still ongoing.
Air India said that it was first notified about the cyber attack by SITA on February 25, but the nature of the data was only provided to it on March 25 and April 5.
The struggling Indian airline, which has been surviving on taxpayer’s money, claimed that it had investigated the security incident, secured the compromised servers, engaged with unnamed external specialists, notified the credit card issuers, and had reset passwords of its frequent flyer program.
Air India is the latest Indian firm to disclose a data breach in recent quarters. Payments giant MobiKwik said in late March that it was investigating claims of a data breach that allegedly exposed the private information of nearly 100 million users.
Alleged records of nearly 20 million BigBasket (a top grocery delivery startup in India owned by local conglomerate Tata) customers leaked on the dark web for anyone to download in late April. A security lapse at Indian telecom giant Jio Platforms exposed results of some users who had used its tool to check their coronavirus symptoms. Indian state West Bengal and giant blood test firm Dr. Lal PathLabs suffered similar breaches. Air India’s peer, Spicejet, also confirmed a data breach last year.