Air India admits to data breach impacting 4.5m customers, sat on the news for five weeks

India’s flag carrier, Air India, has admitted it fell foul of the data breach at aviation information services provider SITA, and that its disclosure comes five weeks after it was notified of the situation.

A new statement [PDF] from the airline says that personal data describing around 4.5 million of its customers leaked when SITA revealed it had been breached in March 2021.

When it admitted to the breach, SITA revealed the names of airline customers that had already informed customers about the situation. Air India was not on the list SITA provided to The Register for our March 5th story, but the carrier posted its own notice on March 19th that said the airline’s “Passenger Service System provider has informed about a sophisticated cyber-attack it was subjected to in the last week of February 2021”. SITA was not named in that statement.

The new statement, dated May 15th, does name SITA and says the airline was told its customers were among those in the leak on March 25th and April 4th.

• Oh SITA: Airline IT provider confirms passenger data leaked after major 'cyber-attack'
• Singapore orders social media to correct Indian politician’s allegation of local COVID-19 variant
• Indian telcos giving away services as customers fear going outside to top up their accounts
• Indian government says 5G doesn’t cause COVID-19. Also points out India has no 5G networks

Customers have now been told that the leaked data covered “personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data… as well as credit card data.”

There’s some upside in the fact that frequent flier passwords weren’t lifted and that CVV/CVC numbers are not held by SITA, making it less likely that malfeasants holding the data can make unauthorised online transactions.

Air India has nonetheless recommended customers change their frequent flier passwords and promised that it took the incident very seriously and cleaned up as thoroughly as possible once it understood the problem.

But the document does not state why Air India has not disclosed the breach despite being informed it was impacted on March 25th.

The statement nonetheless ends: “The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate continued support and trust of our passengers.” ®