Air India has confirmed that 4.5 million passengers have had their personal data exposed in a third-party data breach first disclosed over two months ago.
The incident impacted SITA, an IT provider which claims to serve around 90% of the aviation industry. Attackers compromised servers that operate passenger processing systems for airline clients.
Air India said it first received word of the attack on February 25 this year, but was unable to confirm those affected until SITA informed it on 25 March and 5 April.
“The breach involved personal data registered between August 26 2011 and February 3 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit card data,” the statement noted.
“However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor.”
Air India claimed that, following the incident, the affected servers were secured, external investigators engaged, credit card issuers were notified and frequent flyer passwords were reset.
“Further, our data processor has ensured that no abnormal activity was observed after securing the compromised servers,” it added.
“While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data.”
Finnair, Malaysia Airlines, Japan Airlines and Singapore Airlines were among the other big names affected by the breach.
Although Singapore Airlines said it was not a customer of SITA’s, some of its frequent flyer data was apparently compromised via a fellow Star Alliance member that was.
This isn’t the first data security incident to have affected Air India. Back in 2016 a possible insider attack was detected in which threat actors sought to divert over $23,000 in air miles.