Data on 4.5 million Air India passengers exposed in SITA hack

Names, dates of birth and contact details were among the information stolen in the breach in March

The personal data of about 4.5 million Air India passengers was exposed as a result of a data breach at a major IT provider to the airline industry, Air India confirmed last week.

In a notice to passengers [pdf], India's largest carrier airline said that the breach at SITA PSS in March involved the personal data of passengers registered between 26th August 2011 and 3rd February 2021.

Exposed details included passenger names, contact details, date of birth, passport information, ticket information and credit card data, as well as Star Alliance and Air India frequent flyer data.

No passwords were affected in the breach, and the data processor didn't hold any CVV/CVC credit card numbers, Air India said.

SITA, which serves the Star Alliance group of airlines, announced that it had been hit with a sophisticated cyber attack earlier this year, leading to a breach of frequent flyers' data stored on its servers.

The firm operates passenger processing systems such as ticketing for airlines, said the breached data was stored on servers belonging to SITA Passenger Service System (US) (SITA PSS).

The company confirmed the 'seriousness' of the incident on 24th February, and then took measures to contain the infection and resolve the issue.

SITA is a Swiss IT firm known for providing IT and telecommunications services to air transport companies around the world. It has more than 2,500 customers, including Singapore Airlines, Lufthansa, United and Finnair, in over 200 countries and territories.

Air India says it received the first notification about the data breach from SITA on 25th February, although the identity of the affected data subjects was not revealed at that time. SITA provided information about the affected passengers to Air India on 25th March and 5th April.

Air India was told that no malicious activity was observed after the compromised servers were secured by SITA IT teams.

Air India says it took a variety of measures to ensure the safety of the passenger data, including its own investigation of the security incident, using the services of external cyber security experts, notifying and coordinating with the credit card issuers, and resetting the passwords of its frequent flyer programme.

'The protection of our customers' personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate continued support and trust of our passengers,' the airline said.

This is not the first cyber security incident to have affected Air India. Back in 2016, the airline detected a fraud attack in which criminals hacked 20 frequent flyer accounts and stole flying miles worth Rs 16 lakh (£16,000).