peshkov - Fotolia

Air India is latest victim of Sita hack

Data on millions of people who flew with Air India between 2011 and 2021 appears to have been compromised in the recent Sita supply chain attack

A cyber attack on the systems of airline IT services specialist Sita, first reported earlier in 2021, has claimed another victim in the aviation sector, after Air India revealed that data on 4.5 million people who flew on the airline between 2011 and 2021 has been compromised by unknown actors.

The attack has already seen passenger data from several other airlines in the Star Alliance network compromised, including Singapore Airlines, Finnair, Jeju Air and Malaysian Airlines.

The Air India data includes passenger names, credit card details – although not CVV/CVC numbers – dates of birth, contact details, passport information, ticket information, and Star Alliance and Air India frequent flyer data.

In a statement, Air India said it was first informed of the incident by Sita on 25 February, but it took until late March for it to establish the identities of those affected.

Since then, the airline said, the incident has been thoroughly investigated with third-party assistance and the compromised systems secured. It has notified and liaised with the credit card issuers concerned and reset user passwords for its Air India frequent flyer scheme.

“Our data processor has ensured that no abnormal activity was observed after securing the compromised servers,” said the airline’s spokesperson.

“While we and our data processor continue to take remedial actions including, but not limited to, the above, we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data.

“The protection of our customers’ personal data is of the highest importance to us and we deeply regret the inconvenience caused and appreciate the continued support and trust of our passengers.”

Commenting on the new disclosure, Webroot principal solutions architect Matt Aldridge said: “Cyber criminals are becoming increasingly clever in the tactics they are using, and airlines have proven to be a key target over the past few years.

“At this stage, it looks like Air India has taken the right steps to ensure data safety following the incident by securing the compromised servers, engaging external specialists as well as notifying and liaising with the credit card issuers affected.”

Read more about supply chain attacks

Trevor Morgan, product manager at comforte, said airline management systems such as Sita’s were attractive targets because passenger data persists over long periods of time for booking management purposes, and tends to be highly sensitive. Penetrating such a system is therefore a “gold mine” for cyber criminals, he said.

“Airline and travel companies need to get the message that they have an ethical responsibility and a legal mandate to do everything they can to protect passenger information. Bare minimum data protection just won’t do,” said Morgan.

Without any indication that the compromised data has been leaked or sold – although if it has been exfiltrated by a malicious actor, it probably will be – one of the most significant impacts on Air India passengers will be the inconvenience of choosing new passwords for their accounts, and securing other accounts where they may have unwisely used the same credentials.

Steven Hope, CEO and co-founder of Authlogics, commented: “Air India has said that no password data was affected, but it is interesting that they make the point not once, but twice, that users should change their passwords.

“One has to wonder if there are any security measures in place to ensure that people are choosing a new password that hasn’t already been compromised. It is very common for people to reuse passwords and if their new password has already been compromised elsewhere, it undermines the point of making the change.

“We see the password-sharing pattern in breach data all the time, where people use the same password on multiple websites, including at their workplace.”

Read more on Data breach incident management and recovery

Data Center
Data Management