Air India data of 45 lakh passengers including credit cards leaked in massive Feb breach

A cybersecurity attack on Air India's data processor back in February this year led to a data compromise of nearly 4,500,000 individuals, the airline has informed. The security breach of Air India's SITA PSS data processor, which stores and processes the personal information of passengers, has affected personal data registered between August 2011 and February 2021 (10 years). Details such as name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (except for passwords), and data of credits cards of several passengers is said to have been compromised by the cyber attack. 

However, Air India has maintained that CVV/CVC numbers of passengers have not been compromised as that is not stored by the airline's data processor. The carrier has assured that it is investigating the incident and securing all the compromised servers. Moreover, it is also notifying and liaising with credit card issuers apart from engaging external specialists of data security incidents. In an attempt for affected users to thwart any untoward incident, Air India has urged passengers to change passwords wherever applicable to ensure the safety of their personal data. 

'Personal data of passengers leaked'

"This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world," Air India has said in a statement.  

Earlier in March this year, Air India had identified that it was subjected to a sophisticated cyber-attack in the last week of February. "While the level and scope of sophistication is being ascertained through forensic analysis and the exercise is ongoing, the service provider has confirmed that post-incident, no unauthorized activity inside the PSS infrastructure has been detected," the airline had said in a preliminary statement.

Last year, another airline SpiceJet faced a data breach that exposed the personal information of over a million passengers. The security breach had busted into an unencrypted database backup file containing the private information of more than 1.2 million passengers who flew with SpiceJet. Data exposed in the breach included passengers' names, phone numbers, email addresses, and dates of birth. Among the passengers whose data was exposed were several state officials.