Air India says data breach impacts 4.5 million former passengers
India's national carrier Air India said last week that a data breach at one of its software providers exposed the personal information of more than 4.5 million passengers that used its services.
The breach took place at Swiss company SITA, which makes and manages a passenger reservation system currently used by Star Alliance, the world's largest airline alliance.
The SITA breach, which was discovered and disclosed earlier this year in February, has impacted at least ten other airlines, including the likes of Malaysia Airlines, Singapore Airlines, Jeju Air, Air New Zealand, Polish Airlines, Finnair, Scandinavian Airlines, Cathay Pacific, and Lufthansa.
But while SITA disclosed the breach on March 4, very few details about what happened become public, as airlines couldn't tell what was exposed and how much data the intruder had taken.
In an update [PDF] posted last week to an initial March disclosure, Air India provided the most in-depth look at the SITA breach and its potential ramifications for the other Star Alliance airlines and their customers.
Per Air India, the SITA attacker appears to have gained access to almost a decade's worth of passenger data.
For the national Indian carrier, this meant more than 4.5 million passengers who booked a reservation between August 26, 2011, and February 3, 2021.
Data stolen in the intrusion included passenger names, dates of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, and payment card data.
Air India said that no account passwords nor CVV/CVC card numbers were exposed, but that still leaves a wealth of information that an attacker appears to have managed to exfiltrated as part of one of the largest airline-related breaches in recent memory.
Both Air India and SITA said the intrusion is still under a probe, and new details are expected to surface once forensic investigators find new clues.
No details have yet been made public about the identity of the attack.
However, a day after Air India disclosed its breach, a dark web portal that sells hacked data posted an entry claiming to be in possession of the Air India hacked data.
At the time of writing, it is unclear if the entry is authentic or if the threat actor is trying to take advantage of the breach's coverage in the news to scam potential customers.
‼ SITA, cyber attack: data (11.5 GB) of 4.5 million AirIndia customers for sale on the dark web.— SuspectFile (@amvinfe) May 23, 2021
Name, date of birth, contact information, passport, ticket information.@SITAonline @airindiain @VirITeXplorer @PogoWasRight @chum1ng0 @philmuncaster @CCINLCybercrime #DataBreach pic.twitter.com/P9bu3uTCV6
[ALERT] Dark Leak Market posted on Darkweb site that it was selling breach information about 4.5 million customers of Air India. pic.twitter.com/2UVGyhxdYC— Fusion Intelligence Center @ DarkTracer (@darktracer_int) May 22, 2021
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.