Following the intrusion of Passenger Service System supplier SITA in February 2021, personal data belonging to almost 4.5 million of Air India’s customers was exposed two months later. As a result, Air India announced a data breach.

On March 19, the national airline of India alerted travellers that SITA had been the target of a cyberattack.

In a breach notification sent over the weekend, Air India stated: “This is to inform you that SITA PSS, our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers), had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers.”

Around 4,500,000 data subjects around the world were impacted by this incident.

The airline also said that between August 2011 and February 2021, there was a data breach that affected passenger information.

Nevertheless, it was discovered after looking into the security incident that neither passwords nor credit card information were obtained.

To prevent any hack attempts and ensure the security of their personal information, Air India advises its customers to change their login information.

According to an additional statement from Air India [PDF], “The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data (but no password data were affected), as well as credit cards data.

The CVV/CVC numbers for this last type of data, however, are not stored by our data processor.

We place the utmost value on protecting the personal information of our clients, and while we sincerely apologise for any inconvenience, we also value their continuing patronage and confidence. — India Air

Impact of data hack on Star Alliance members
Along with Air India, almost a dozen other airlines also warned customers that some of their personal information was compromised after a breach of SITA’s Passenger Service System (PSS), which manages everything from booking tickets to boarding.

SITA also acknowledged the situation and stated that it had contacted all relevant organisations and the impacted PSS users in early March.

When this happened, a SITA representative informed BleepingComputer that the breach affected the data of travellers from various airlines, including:

In terms of passengers carried, Lufthansa ranks second in Europe when combined with its subsidiaries; Member of Star Alliance and a partner of Miles & More
The national carrier of New Zealand is Air New Zealand.
Singapore Airlines is the nation’s primary airline.
Scandinavian Airlines (please disclose);
the national airline of Hong Kong, Cathay Pacific
The first and biggest low-cost airline in South Korea is Jeju Air.
The national airline of Malaysia is Malaysia Airlines.
The national airline and major airline of Finland is Finnair.
Some of these airlines, notably the largest airline in Europe, Lufthansa, are a part of the Star Alliance, a worldwide airline alliance with 26 members, which also includes Air India.

According to Star Alliance, its members also exchange customer information important to giving travel rewards.

Names of members, membership numbers in frequent flyer programmes, and programme tier status are the only pieces of information provided.