National Airline of India Air India reporter major cybersecurity attack on airline’s data processor, compromising 4,500,000 passengers personal details. Air India’s SITA PSS data processor, which stores and processes the personal information of passengers, has been hacked. The registered data with the airline’s compromised in the breaching is between August 26, 2011 and February 3, 2021, with details that included name, date of birth, contact information, passport information, ticket information as well as credit cards data. The statement released by Air India, reads, “this is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world.”

However, Air India claims that no CVV/CVC numbers have been compromise in the leak, as that is not stored by the airline’s data processor.

Earlier on 25th February, national carrier first identified of being subjected to cyber attack and the identity of the affected data subjects was received on March 25 and April 5.

The Airline has assured to take prior measures in investing the chaotic situation and securing all the compromised servers. It is also notifying and negotiating with credit card issuers, on the matter. Air India has also urged passengers to change their passwords, to ensure safety and security of personal data.

The entire statement of Air India is mentioned below :

This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world.

While we had received the first notification in this regard from our data processor on 25.02.2021, we would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25.03.2021 & 5.04.2021. The present communication is an effort to apprise of accurate state of facts as on date and to supplement our general announcement of 19th March 2021 initially made via our website.

The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data. However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor.

We would also like to inform you that the following measures to ensure safety of the data were immediately taken:

• Investigating the data security incident;

• Securing the compromised servers;

• Engaging external specialists of data security incidents;

• Notifying and liaising with the credit card issuers;

• Resetting passwords of Air India FFP program.

Further, our data processor has ensured that no abnormal activity was observed after securing the compromised servers.

While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data.

The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate continued support and trust of our passengers.