A cybersecurity attack on Air India’s passenger service system has compromised the data of lakhs of passengers, according to a message sent out by the national carrier on Friday.

In a text message, the airline said the SITA PSS data processor of the passenger service system, which is responsible for storing and processing of personal information of the passengers, was subjected to a cybersecurity attack which led to a leak of personal data leak of around 4.5 million passengers in its system.

The data leak reportedly took place on February 25.

SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc servers,” SITA said in a statement on March 4, according to media reports.

Cybersecurity experts said they were yet to see specifically Air India data being sold on dark web forums, but added that since the hack did not include passwords, the data may instead be sold as a tranche of credit and debit card data. “The credit card data may show up as individual tranches of card information based on limits etc”, said Yash Kadakia, founder and CTO of Security Brigade.

Experts have separately said that sensitive person information like contact and passport data could potentially lead to impersonation attacks and allow perpetrators to break into people’s bank accounts by using such data for verification.

According to Air India, personal data registered between August 26, 2011, and February 3, 2021, including name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit card details, were leaked due to the breach. The information did not include CVV/CVC numbers, the carrier clarified in a message posted on their website.

The airline said the identity of the affected data subjects was only provided to them by their data processor on March 25 and April 5.

“The present communication is an effort to apprise of accurate state of facts as on date and to supplement our general announcement of 19th March 2021 initially made via our website,’ the airline’s media statement uploaded on their website read.

“However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor,” the statement read.

Air India said to ensure the safety of the data, investigations of the breach incident were immediately ordered, compromised servers were secured, and external specialists of data security incidents were engaged.

The national carrier said that it notified credit card issuers and reset the passwords of Air India’s frequent flying programme.

Air India said, “Our data processor has ensured that no abnormal activity was observed after securing the compromised servers. While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure the safety of their data. The protection of our customer’s personal data is of the highest importance to us and we deeply regret the inconvenience caused and appreciate continued support and trust of our passengers.”

Air India spokesperson did not comment when asked about the update on the investigation findings.

A senior airline official said, “We do not know the extent of misuse of the data. This is a serious matter and is being investigated.”