Airline IT provider SITA suffers data breach

Tens of thousands of airline passengers have been impacted as a result of the attack on SITA's servers

IT provider SITA, which services about 90 per cent of the global aviation industry, has fallen victim to a sophisticated cyber attack, leading to a breach of frequent flyers' data stored on its servers.

The firm, which operates passenger processing systems such as ticketing for airlines, did not provide detailed information about the incident, but said that the breached data was stored on SITA Passenger Service System (US) Inc. (SITA PSS) servers.

After SITA confirmed the 'seriousness' of the incident on 24^th February, it took 'immediate and appropriate' measures to contain the infection and resolve the issue, as well as notifying affected customers and other organisations.

'We recognise that the Covid-19 pandemic has raised concerns about security threats, and, at the same time, cyber-criminals have become more sophisticated and active. This was a highly sophisticated attack,' SITA said in a statement.

'SITA acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by Sita's security incident response team with the support of leading external experts in cyber-security.'

The cyber actors behind the attack were able to obtain passenger records from PSS servers hosted in an Atlanta, Georgia data centre operated by an American subsidiary.

'If you are the customer of an airline and have a Data Subject Access Request in relation to the handling of your personal data, this request must be made directly to that airline in accordance with GDPR and data protection legislation. SITA is unable to respond directly to any such request,' the company states on its website.

SITA is a Swiss IT firm headquartered in Geneva. It provides IT and telecommunications services to air transport companies around the world. SITA has more than 2,500 customers, including Singapore Airlines, Lufthansa, and Finnair, in over 200 countries and territories.

United, one of the Star Alliance airlines, notified its customers about the data breach by email, stating that personal information and passwords, excluding customer names, were not exposed.

'We have strong cyber security measures in place to protect your personal data, and both United and Star Alliance have reviewed our own systems and found no indications that they have been compromised in connection with this incident,' the firm said.

Singapore Airlines said that about 580,000 KrisFlyer and its top-tier Priority Passenger Service members have been affected by the breach. The information exposed included membership number, tier status and, in some cases, membership name.

PPS and KrisFlyer member passwords, credit card details, and other information, such reservations, itineraries, email addresses, passport numbers, and ticketing details were not exposed, Singapore Airlines stated.