Air India says 10 years of passenger data breached
India’s national airline Air India on Friday reported a data breach that it said involved the personal data, including contact details, credit card numbers and passport information, of an unspecified number of customers.
The national carrier said the compromise involved personal data registered between August 26, 2011 and February 20, 2021 and that the data was breached during a hack on its data processor, SITA, which disclosed a cyberattack in March.
SITA offers back-end network services to a number of airlines and several of them sent similar notifications to their customers earlier this month. The affected airlines included Lufthansa, Finnair, British Airways, Singapore Airlines, American Airlines and United, and involved close to 4.5 million records.
Air India said the data of its customers involved those that were registered over a span of nearly 10 years. “The breach involved personal data registered between 26 August 2011 and 3 February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data,” a notification from Air India said.
The airline added: “While we had received the first notification in this regard from our data processor on 25.02.2021, we would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25.03.2021 and 5.04.2021”.
“SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc servers,” SITA said in a statement on March 4, as per media reports.
Cybersecurity experts said they were yet to see specifically Air India data being sold on dark web forums, but added that since the hack did not include passwords, the data may instead be sold as a tranche of credit and debit card data. “The credit card data may show up as individual tranches of card information based on limits etc,” said Yash Kadakia, founder and CTO of Security Brigade.
Experts have separately said that sensitive person information like contact and passport data could potentially lead to impersonation attacks and allow perpetrators to break into people’s bank accounts by using such data for verification.
“Our data processor has been subjected to a cybersecurity attack leading to personal data leak of passengers. This affected around 4,500,000 data subjects in the world,” Air India said.