A massive cyber-attack on Air India data processor in February has leaked ten years’ worth customer data including passports, credit cards and phone numbers, announced the airline.
Around 45 lakh customers have been affected by this major data leak who had registered themselves between August 26, 2011 and February 3, 2021, said Air India. This violation is being reported by the airline after three months it was first informed of this.
Names, date of birth, contact data and ticket data have additionally been undermined in the ‘highly sophisticated’ attack that focused Geneva-based traveler framework administrator SITA that serves the Star Alliance of aircrafts including Singapore Airlines, Lufthansa and United other than Air India.
“SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world,” said Air India by emailing its customers.
“While we had received the first notification in this regard from our data processor on 25.02.2021, we would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25.03.2021 and 5.04.2021,” it said.
“The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data. However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor,” the airline further said.
The airline has also launched a prove in the incident and has taken multiple steps in securing its compromised servers, connecting with outer experts of information security occurrences, reaching credit card issuers and resetting passwords of its long standing customer program.
“While we and our data processor continue to take remedial actions…We would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data,” the airline suggested.
This information was also publicly announced by SITA in March for first time that prompted other airlines of Singapore, Malaysia to inform its customers of suspected access to their data by an intruder.
A year ago the British Airways had incurred a fine of 20 million-pound (over ₹ 180 crore) for failing to protect the data of its customers that became the subject of 2018 cyber-attack.
The other such incidents in recent years include that of London-based airline, easyJet — of which data of at least 90 lakh customers had been accessed through a cyber-attack.