We are still learning of the damage three months after aviation data giant SITA reported a data breach.
Air India announced this week that the personal data of approximately 4.5 million passengers had been compromised following the incident at SITA, the data processor for the Indian airline. The information stolen included the passenger’s name, credit card information, date of birth, contact information, passport information, ticket information, frequent flyer information from Star Alliance and Air India, Air India said in a statement (PDF).
Credit card CVV / CVC data was not stored by SITA, Air India said when passengers were asked to change passwords “where appropriate to ensure the security of their personal information”.
The attack compromised data from passengers who registered with the Indian airline between August 26, 2011 and February 3, 2021 in the past decade, Air India said in a statement.
The disclosure comes months after SITA reported a passenger data breach. At the time, SITA had informed several airlines – Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand and Lufthansa – of the breach.
The Geneva, Switzerland-based company, which allegedly serves 90% of the world’s airlines, had refused to disclose the specific data that had been compromised at the time of the disclosure in early March and cited an investigation that is ongoing.
Air India said that SITA was first notified of the cyber attack on February 25, but the nature of the data was not made available until March 25 and April 5.
The struggling Indian airline, which survived on tax money, claimed it investigated the security incident, secured the compromised servers, teamed up with nameless outside specialists, notified the credit card issuers and reset the passwords of its frequent flyer program.
Air India is the youngest Indian company to report a data breach in the past few quarters. Payment giant MobiKwik announced in late March that it was investigating allegations of a data breach that allegedly disclosed private information of nearly 100 million users.
Alleged records of nearly 20 million BigBasket customers (a top grocery delivery startup in India now owned by local Tata conglomerate) leaked on the dark internet for anyone to download in late April. A vulnerability at Indian telecommunications giant Jio Platforms revealed the results of some users who had used the tool to check their coronavirus symptoms. The Indian state of West Bengal and the giant blood testing company Dr. Lal PathLabs have suffered similar violations. Air India’s peer Spicejet also confirmed a data breach last year.