Air India (AI), the government’s erstwhile jewel in the sky, reported a massive data breach which has compromised the personal details and information of 4.5 million customers. The airline’s passenger system, managed by IT software company SITA which works exclusively with the airline industry globally, suffered a cyber-security attack in February this year, the airline said in a statement on May 15.

“This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world,” AI said. While the national carrier said that credit and debit card information of customers was not leaked as part of the breach as SITA does not store such information, passenger details like name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data was compromised.

The hackers managed to extract customer information, barring payment details, that was registered on the SITA-AI system between between August 26, 2011 and February 3, 2021, the statement said. Adding that while the two entities will take remedial actions, passengers should change their passwords (on the AI website) to ensure safety of their personal data.

AI was informed about the breach in February 25, 2021, and it issued a statement back in March 2021 informing customers about the issue. However, this information was not widely reported.

In a statement on its website, on March 19, 2021, AI said that its Passenger Service System provider suffered sophisticated cyber attack in the last week of February 2021. “While the level and scope of sophistication is being ascertained through forensic analysis and the exercise is ongoing, the service provider has confirmed that post incident , no unauthorized activity inside the PSS infrastructure has been detected. Air India meanwhile is in liaison with various regulatory agencies in India and abroad, and has apprised them about the incident in accordance with its obligations. Air India along with the service provider is carrying out risk assessment and would further update as and when it becomes available,” it said.

In its latest statement AI said it is investigating the data security incident, securing its compromised servers, engaging with external specialists, liaising with the credit card issuers and is resetting passwords of Air India Frequent Flyer Customers.

Growing cyber incidents and data leaks

Cyber-crimes have been on the rise ever since the COVID-19 pandemic began early this year, due to an increased reliance on digital tools and the internet. According to a study by software firm Micro Focus, Indian organisations have experienced a 58% increase in cyber-security challenges over the last few months, while there was 51% increase in the challenge to investigate or remediate incidents. Around 98% of Indian organisations are short-staffed when it comes to security, the study said.

The AI data breach is one of the most significant data breaches in recent history, given that customer information stored on their servers for nearly a decade has been compromised. Indian businesses have suffered numerous data breaches in recent months. While incidents of data breaches and personal information being sold on the dark web are increasing year-on-year, the Indian government is yet to introduce a personal data protection law in Parliament. Recently, the government said it is working on a new national cyber security strategy.

In January, millions of customer records and sensitive card data belonging to millions of people was leaked on the dark web due to a security compromise at a server used by Juspay, a major payment gateway provider in the country. This was reported to be the largest data breach in the country in history at the time. In March sensitive data belonging to millions of cardholders and users stored on MobiKwik’s servers had been compromised and put up for sale online. And in April, personal details of 2.5 million users stored by stock-market brokerage Upstox was leaked.

