MUMBAI, 25 May 2021: Air India’s financial troubles intensified following confirmation that hackers have stolen personal data on about 4.5 million Air India passengers, including their credit card details.

The airline confirmed hackers had harvested names, credit
card numbers and passport information in a statement released 21 May.

The breach goes back to March when the airline was warned it
had been targeted by hackers.

The state-owned airline crippled by debts is now facing a
crisis of confidence as it attempts to close the breach in the “compromised
servers”  The breach impacts
thousands of frequent flyer members who trusted the airline with their
financial details and personal records.

The airline attempted to reassure them by saying it was
working with “external specialists” on data security as well as
credit card companies as a damage control measure. It comes at the worst
possible time for the airline, which is struggling to survive the Covid-19
pandemic that has brought India to its knees and closed down international and
domestic flights.

In a report on the incident, AFP noted that a “number of airlines had been hit by data breaches in recent years. British Airways was fined USD28 million last year by a British watchdog after details of 400,000 passengers were lost in a 2018 cyberattack. Cathay Pacific was fined USD700,000 after details of more than nine million clients were lost in 2018.”

Air India announced last March that its data processing
company, SITA PSS warned the airline it had suffered a cyberattack. The breach
involved personal data registered between August 2011 and February 2021, the
airline said.

SITA said at the time that a number of airlines had been
targetted by a  “highly
sophisticated attack”.

Air India is part of the Star Alliance coalition of
airlines, and SITA handles computer operations for its frequent flyer
programme.

Other airlines in the alliance warned passengers in March of
the cyberattack, but most said only names and frequent flyer numbers had been
accessed.

Air India’s Notification to Passengers 15 May

“In continuation to the information given 19 March 2021, this is to inform that SITA PSS, our data processor of the passenger service system which is responsible for storing and processing of personal information of the passengers has recently been subjected to a cybersecurity attack leading to a personal data leak. This incident affected around 4,500,000 data subjects worldwide.

“The breach involved personal data registered between 26
August 2011 and 3 February 2021, with details that included name, date of
birth, contact information, passport information, ticket information, Star
Alliance and Air India frequent flyer data (but no passwords data were
affected) as well as credit cards data.

“However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor. “We would also like to inform you that the following measures to ensure the safety of the data were immediately taken:

• Investigating the data security incident;
• Securing the compromised servers;
• Engaging external specialists of data security incidents;
• Notifying and liaising with the credit card issuers;
• Resetting passwords of Air India FFP programme.

“The protection of our customer’s personal data is of the highest importance to us, and we deeply regret the inconvenience caused and appreciate the continued support and trust of our passengers.”

(Source: AFP and Air India)