CHENNAI: India's national carrier Air India has confirmed on Friday that it has suffered a major cyber attack in which the personal details of millions of passengers were stolen. The stolen data includes sensitive information such as passport and credit card details of passengers.
This incident has affected around 4,500,000 data subjects in the world and involves personal data registered between 26th August 2011 and 3rd February 2021, said Air India in a commune.
"This is to inform you that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world," the national carrier said in a statement.
It added, "The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data."
"While we and our data processor continue to take remedial actions. We would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data," it said.
Data of 4.5 million passengers -- which includes Air India's passengers -- across the world has been "affected" due to the cyberattack on SITA, the statement said.
However, the airline said that CVV/CVC data of the credit card holders were not stored in their data. It has also requested passengers to change passwords wherever applicable to ensure safety of their personal data.
"Air India would like to inform its valued customers that its passenger service system provider has informed about a sophisticated cyber attack it was subjected to in the last week of February 2021," the airline said.
While the level and scope of sophistication is being ascertained through forensic analysis and the exercise is ongoing, SITA has confirmed that no unauthorised activity has been detected inside the system's infrastructure after the incident, it added.
Air India said that it received the first information regarding the data breach on February 25, and the identity of the affected data subjects was received on March 25 and April 5. It is being said that other global airlines, especially ones who are part of Star Alliance, are likely affected too by the data breach.
According to sources at Air India, the carrier has set up a call centre to help passengers who are impacted by this breach.
The confirmation of this breach comes at a time when Air India is in the final stage of its divestment process. According to government sources, the loss-making airline will soon be handed to a private player.
"Air India meanwhile is in liaison with various regulatory agencies in India and abroad, and has apprised them about the incident in accordance with its obligations," the airline said.
However, with respect to credit cards' data, CVV/CVC numbers are not held by SITA, the airline clarified.
It said that the identity of its affected passengers was provided to it by SITA on March 25 and April 5 only.
Air India along with the service provider is carrying out risk assessment and would further update as and when it becomes available, it said.
The airline said it has taken following steps after the data security incident: Secured the compromised servers, engaged external specialists of data security incidents, notified and in talk with the credit card issuers and reset the passwords of Air India frequent flyer programme.
(With PTI Inputs)