Shock for Air India FFP members

MUMBAI, 25 May 2021: Air India’s financial troubles intensified following confirmation that hackers have stolen personal data on about 4.5 million Air India passengers, including their credit card details.

The airline confirmed hackers had harvested names, credit card numbers and passport information in a statement released 21 May.

The breach goes back to March when the airline was warned it had been targeted by hackers.

The state-owned airline crippled by debts is now facing a crisis of confidence as it attempts to close the breach in the “compromised servers”  The breach impacts thousands of frequent flyer members who trusted the airline with their financial details and personal records.

The airline attempted to reassure them by saying it was working with “external specialists” on data security as well as credit card companies as a damage control measure. It comes at the worst possible time for the airline, which is struggling to survive the Covid-19 pandemic that has brought India to its knees and closed down international and domestic flights.

In a report on the incident, AFP noted that a “number of airlines had been hit by data breaches in recent years. British Airways was fined USD28 million last year by a British watchdog after details of 400,000 passengers were lost in a 2018 cyberattack. Cathay Pacific was fined USD700,000 after details of more than nine million clients were lost in 2018.”

Air India announced last March that its data processing company, SITA PSS warned the airline it had suffered a cyberattack. The breach involved personal data registered between August 2011 and February 2021, the airline said.

SITA said at the time that a number of airlines had been targetted by a  “highly sophisticated attack”.

Air India is part of the Star Alliance coalition of airlines, and SITA handles computer operations for its frequent flyer programme.

Other airlines in the alliance warned passengers in March of the cyberattack, but most said only names and frequent flyer numbers had been accessed.

Air India’s Notification to Passengers 15 May

“In continuation to the information given 19 March 2021, this is to inform that SITA PSS, our data processor of the passenger service system which is responsible for storing and processing of personal information of the passengers has recently been subjected to a cybersecurity attack leading to a personal data leak. This incident affected around 4,500,000 data subjects worldwide.

“The breach involved personal data registered between 26 August 2011 and 3 February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data.

“However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor. “We would also like to inform you that the following measures to ensure the safety of the data were immediately taken:

• Investigating the data security incident;
• Securing the compromised servers;
• Engaging external specialists of data security incidents;
• Notifying and liaising with the credit card issuers;
• Resetting passwords of Air India FFP programme.

“The protection of our customer’s personal data is of the highest importance to us, and we deeply regret the inconvenience caused and appreciate the continued support and trust of our passengers.”

(Source: AFP and Air India)