Data Processor Breach Affected Millions
Breach Notification
,
Incident & Breach Response
,
Security Operations
Passport, Credit Card Information Exposed
Air India says millions of its customers were affected by a February data breach at SITA, a third-party data processing service based in Switzerland that serves many airlines.
See Also: The Guide to Just-In-Time Privileged Access Management
The airline says it began privately notifying customers in March about a potential security issue. Now, however, Air India notes that SITA recently provided an update about how many passengers were affected.
“This is to inform that SITA … our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers,” according to Air India. “This incident affected around 4,500,000 data subjects in the world.”
The breach exposed customer data the airline collected between August 2011 and February of this year, the airline says.
In March, Switzerland-based SITA announced that it was the victim of what appeared to be a coordinated supply chain attack. At the time, at least four companies – Malaysia Airlines, Singapore Airlines, Finnair Airlines and Air New Zealand – appeared to have been affected, but Air India was not included in that list (see: Supply Chain Attack Jolts Airlines).
An Air India spokesperson was not immediately available for comment Friday.
The personally identifiable information exposed includes passengers’ names, dates of birth, contact information, passport and ticket information, credit card details, as well as Star Alliance and Air India frequent flyer data, according to the statement.
The breach does not appear to have affected passwords associated with the frequent flyer profiles, according to Air India.
Air India also notes that SITA has not detected suspicious or abnormal activity since the compromised servers were secured earlier this year.
“While we and our data processor continue to take remedial actions … we would also encourage passengers to change passwords wherever applicable to ensure the safety of their personal data,” Air India says.
Questions Raised
Joseph Neumann, a cyber executive adviser at consulting firm Coalfire, says Air India and SITA should have revealed the impact of the breach sooner.
“If they knew in February and are only now coming forward, that is extremely concerning,” he says. “If compromises did occur, the breach size is so large they cannot guarantee that there was no impact. The company telling people to reset their passwords also leads me to believe there is not full transparency here, and the company should be pushing a mandatory password reset on all accounts.”
There are reports, as yet unverified, of the data being sold over Telegram for 0.1 BTC ($3,830).
A Vendor in Data trading platforms across telegram groups and dark web claims to sell @airindiain Data for 0.1 BTC. Authenticity of his claim is yet to be verified. @IndianCERT @rneelmani @pareektweets @shashankrnq @nixxin @LawrenceAbrams @threatpost @asokan_akshaya pic.twitter.com/Kd44yDIW89
— Nandakishore Harikumar (@nanduhari) May 22, 2021