Air India Passenger Data Breach Reveals SITA Hack worse than First thought

Even three months after Air Transport’s data giant CTA learned of a data breach, we’re still learning about the damage. Air India said this week that the personal data of about 4.5 million passengers had been compromised after the incident at CITA, the data processor of Indian flag carrier Airlines.

The stolen information included passenger names, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, Air India said in a statement (PDF). CITV’s CVV / CVC data is not kept through CITA, Air India said, urging passengers to change their passwords wherever applicable to ensure the protection of their personal information. 

Air India said in a statement, the attack compromised the data of passengers registered with Indian airlines for the past decade, between August 26, 2011 and February, 2021. The CITA says it released the data a few months after it suffered a data breach involving passenger data. At the time, the CITA said it had notified Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand and Lufthansa – a number of airlines. 

The Geneva-based Swiss-based agency – which will serve 90% of the world’s airlines – refused to release specific information that was compromised in early March, citing an investigation – which is still ongoing. Air India said it was first informed about the cyber attack by SITA on February 25, but the nature of the information only provided it on March 25 and April 5. Fighting Indian Airlines, which survives on taxpayer money, claims it has investigated the security incident, secured compromise servers, engaged anonymous external experts, notified credit card issuers and reset the password of its frequent flyer programs.

Air India is the latest Indian company to report recent data breaches. Payments giant MobiKwik said in late March that it was investigating a data breach alleging that it had leaked the personal information of nearly one million users. There are allegations of about 20 million BigBasket (top grocery delivery start in India which is now owned by local company Tata) customers leaked to the Dark Web in late April for anyone to download.