India’s national airline Air India faced a massive data breach in which 10 years of data of its customers has been leaked.
The data included details about the credit cards, passports, and phone numbers. The airline said that this breach was due to a cyber-attack on its data processor.
This has affected the details of about 4.5 million customers who were registered between 26th August 2011 and 20th February 2021.
“SITA PSS, our data processor of the passenger service system (which is responsible for storing and processing personal information of the passengers) had recently been subjected to a cyber security attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world,” said Air India in an email to its customers.
The statement further added that they had received the first notification in this regard from their data processor on 25/02/2021 and that the identity of the affected data subjects was provided to them by their data processor on 25/03/2021 & 5/4/2021.
“The breach involved personal data registered between 26th August 2011 and 20th February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data. However, in respect to this last type of data, CVV/CVC numbers are not held by our data processor,” added Air India.
Air India said that they will be investigating this matter and have taken a few steps to ensure the safety of the data which include investigating the data security incident, securing the compromised servers, engaging external specialists of data security incidents, notifying and liaising with the credit card issuers and resetting passwords of Air India FFP program.
“While we and our data processor continue to take remedial actions. We would also encourage passengers to change passwords wherever applicable to ensure the safety of their personal data,” said Air India in an official statement.