India's flag carrier airline, Air India, has disclosed a data breach affecting 4.5 million of its customers over a period stretching nearly 10 years after its Passenger Service System (PSS) provider SITA fell victim to a cyber attack earlier this year.
The breach involves personal data registered between Aug. 26, 2011 and Feb. 3, 2021, including details such as names, dates of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data as well as credit card data. But Air India said neither CVV/CVC numbers associated with the credit cards nor passwords were affected.
The airline had previously acknowledged the breach on March 19, stating that "its Passenger Service System provider has informed about a sophisticated cyber attack it was subjected to in the last week of February 2021."
In March, Swiss aviation information technology company SITA disclosed it suffered a "highly sophisticated attack" on its servers located in Atlanta, leading to a compromise of passenger data stored in its PSS system. SITA PSS is used by many carriers for processing airline passenger data as part of their frequent flyer programs.
Air India data breached in a major Cyber attack. Breach involves Passengers personal Information including Credit Card Info and Passport Details. Other Global Airlines are likely affected too.#airindia #CyberAttack @airindiain@rahulkanwal @sanket @maryashakil pic.twitter.com/XxUORgInJQ— Jiten Jain (@jiten_jain) May 21, 2021
With the latest development, Air India joins a long list of airlines, such as Lufthansa, Cathay Pacific, Air New Zealand, Singapore Airlines, Scandinavian Airlines (SAS), Finnair, Malaysia Airlines, South Korea's Jeju Air, American Airlines, and United Airlines that have been impacted by the data security incident.
As part of its investigation into the event, Air India said it engaged external specialists and that it notified credit card issuers of the issue, besides resetting passwords of its frequent flyer program. The airline is also urging users to change passwords wherever applicable to thwart potential unauthorized attempts and ensure the safety of their personal data.
UPDATE: According to DarkTracer, the personal information stolen from Air India following the SITA PSS server breach is now being allegedly sold on underground data sale forums for $3,000.