Around four and a half million Air India customers have had their personal data compromised, the airline has confirmed in a statement.
The notice comes a full two months after a reported cyberattack on SITA's Passenger Security System.
SITA is a data processor that works on behalf of Air India as well as several other airlines. The company says that they first received a notification of the breach on 25 February 2021, but that the identity of the subjects affected by the breach was provided on 25 March and 5 April 2021.
According to the statement, "The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit card data". No data pertaining or related to account passwords was reportedly affected, nor were CVV/CVC numbers from the back of credit cards.
News of the breach broke in early March, but details were vague. Other airlines involved in the breach have been notifying customers over the past two to three months.
A widespread attack
Air India was one of several airlines to have passenger information exposed during the SITA breach, Others include:
- Air New Zealand
- SAS - Scandinavian Airlines
- Cathay Pacific
- Malaysia Airlines
- Singapore Airlines
- Jeju Air
Several of these companies are the flag carrier airlines for countries such as New Zealand, Finland, and Malaysia. Right now, it is unclear what organization or individual is behind the attack, and what their true motivations were.
How did SITA and Air India respond?
SITA, the company responsible for securely processing this data, said that "By global and industry standards, we identified this cyber-attack extremely quickly. The matter remains under active investigation by SITA".
Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories, including some personal data of airline passengers.
Air India, on the other hand, were a lot more apologetic in their statement, saying that "The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate continued support and trust of our passengers".
Air India has also encouraged all passengers who signed up with the airline between the dates specified to change their passwords "wherever applicable" to secure their personal data.
A running trend
Data breaches involving airline companies have been an all too common fixture of the news over the past few years. In 2020, for instance, British Airways were handed a £20m fine for a data breach that compromised the data of 400,000 customers two years before.
EasyJet are another company to fall victim to a breach in recent times; the data of over nine million customers was exposed in what was dubbed a "highly sophisticated" attack.
Airports have also come under fire for mishandling passenger data. Heathrow Airport was fined £120,000 in 2018 after a staff member misplaced a USB stick containing sensitive information about customers, including the exact travel plans for the Queen.
Cathay Pacific, one of the airlines involved in the SITA data breach, were charged £500,000 by the ICO for a 2018 data breach, too. They failed to disclose that the breach had happened for a whole six months after it took place.
Why are airlines always involved in data breaches?
Of all the sectors, it seems airlines have a particular problem with cybersecurity. We're forever hearing about the latest leak, breach, or compromised data. This isn't necessarily just because the industry has poor cybersecurity standards at all – it's actually a combination of factors.
As sectors go, companies working in aviation store much more personal information about customers than sectors like retail, for example, including passport information that is directly linked to financial data. And it's that first kind of data that makes them so different from other companies and so ripe for targeting – who else has passport information en masse?
However, the sheer diversity of technology used in the flight process – from electronic check-in software to in-flight entertainment modules and Wi-Fi connectivity systems – means there are many more exploit points for hackers to capitalize on than might be found in another sector.
Airlines also represent one node in a massive, interconnected web of data exchanges between governments, credit card companies, banks, hotels, baggage handlers, and so forth. Data is constantly moving through these organizations at speeds rarely seen elsewhere and can have multiple destinations at once.