air india data breach case study pdf

Best Dresses For Girls 3-10 Years On Amazon! Huge Discounts!
Why Baby Massage Is Important For Strong Bones
5 Best Women Skirts From Amazon India With Upto 70% Discount!!
How to convert YouTube videos to MP3
5 Best Co-Ord Sets From Amazon India With Upto 70% Discount!!

Data Breach Case Study: Air India Airlines Cyberattack

A recent cyberattack has compromised Air India IT systems in February affecting the personal data of millions of people all across the globe. This cyberattack on Air India took the confidential data of its passengers who used Air India between August 26, 2011, and February 20, 2021. It happened on the SITA passenger service system and data of approximately 45 lakh passengers got compromised. It is being considered as one of the biggest data breaches in the airline industry.

What is SITA and its association with Air India?

A Switzerland-based technology company (SITA) specializes in Information Technology and Air transport communications. This is a company that initially started at a small scale consisting of just 11 airline members. With time the company grew and converted into a large-scale company. Now, it has more than 2500 customers in more than 200 countries. It provides services related to airline operations like reservation systems, passenger processing, etc.

For enabling Air India to join Star Alliance, it entered into a contract between 2017 for upgrading its IT infrastructure. SITA provided various facilities to Air India like baggage reconciliation system, departure control system, online booking engine, check-in, and automated boarding control, frequent flyer program, and many others.

Details of Air India Data Breach

In March, SITA flagged a cyber-attack as said by Air India. This attack occurred in February reported in March reveals the breach of confidential information of some passengers who used Air India airlines services. Data breaches not only happened with Air India but with other airlines as well and even other critical infrastructure are under constant cyberattacks . Like Singapore Airlines, Malaysia Airlines, Air New Zealand, Jeju Air.

SITA provided notification regarding the breach of data. The information compromised consists of passengers’ names, dates of birth, passport information, contact information, Star Alliance and Air India frequent flyer data, credit card details, ticket information, and many others. SITA confirmed that SITA does not hold CVV/CVC data. But Air India requested its customers to change their passwords to ensure extra safety of their data.

Air India Response to the Incident

Air India is one of the Indian Firms that openly disclosed the data breach . SITA has investigated a lot regarding the breach. Owing to this cyber attack and data breach, Air India took various measures.
They secured the servers compromised. After this massive cyberattack, Air India engaged with external data security specialists to avoid the chances of occurrence of this kind of data breach in the future. This external specialist pays more attention to the data safety of its customers.
Air India company also notified the credit card issuers. The breach and compromisation of customer’s credit card details. Though CVV/CVC details were not compromised.
But still, Air India advised its customer to change their password for extra safety. Air India also ensured that there was no misuse of their confidential data.
They even had a word with Indian regulatory agencies and Overseas regulatory agencies regarding the same issue. In a nutshell, Air India took extra measures to ensure the safety of their customers’ data and other confidential information.

8 Best Cybersecurity Tips For Business Practices

Try these 7 Good Computer Security Habits

Why Critical Infrastructure Security From Cyberattacks Needs Attention?

More From Forbes

Air india data breach: hackers access personal details of 4.5 million customers.

Share to Facebook
Share to Twitter
Share to Linkedin

An Air India passenger flight prepares for landing to the Biju Patnaik International Airport in the ... [+] eastern Indian state odisha's capital city Bhubaneswar (Photo by STR/NurPhoto via Getty Images)

Air India has admitted to a massive data breach that compromised the personal data of about 4.5 million passengers.

The breach, confirmation of which comes two months after SITA's Passenger Service System (PSS) was hacked, affected customers who registered between August 2011 and late February 2021, Air India said in a statement . Compromised data includes customers’ name, data of birth, contact information, passport information, frequent flyer data and credit card data, although CVV/CVC numbers weren't included.

Password weren’t accessed by the hackers, Air India added, although it’s urging all customers to change their passwords as a precaution.

The airline said it first learned of the incident on February 25, but only learned the identities of affected passengers on March 25 and May 4.

"This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers," Air India said in a breach notification sent over the weekend.

The airline said it has taken steps to ensure data safety, including “investigating the data security incident; securing the compromised servers; engaging external specialists of data security incidents; notifying and liasing with the credit card issuers, and resetting passwords of Air India FFP program.”

Martin Mull Dead: The ‘Fernwood 2 Night’ And ‘Roseanne’ Star Was 80

Wwe smackdown results, winners and grades as the bloodline destroys paul heyman, friday, june 28. russia’s war on ukraine: news and information from ukraine.

However, Air India customers are unlikely the only victims of the SITA hack. The company told Bleeping Computer in a statement that customers from several airlines were affected, including travelers who flew with Air New Zealand, Cathay Pacific, Finnair, Jeju Air, Lufthansa, Malaysia Airlines, SAS and Singapore Airlines.

“By global and industry standards, we identified this cyber-attack extremely quickly. The matter remains under active investigation by SITA,” the company said.

“Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories, including some personal data of airline passengers.”

Editorial Standards
Reprints & Permissions

Air India passenger data breach reveals SITA hack worse than first thought

Air India data breach 4.5 million customers

Three months after air transport data giant SITA reported a data breach , we are still learning about the damage.

Air India said this week that personal data of about 4.5 million passengers had been compromised following the incident at SITA, Indian flag carrier airline’s data processor. The stolen information included passengers’ names, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, Air India said in a statement (PDF).

CVV/CVC data of credit cards were not held by SITA, said Air India as it urged passengers to change passwords “wherever applicable to ensure safety of their personal data.”

The attack compromised data of passengers who had registered with the Indian airline over the past decade, between August 26, 2011 and February 3, 2021, Air India said in a statement.

The revelation comes months after SITA said it had suffered a data breach that involved passenger data. At the time, SITA said it had notified several airlines — Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa — of the breach.

The Geneva, Switzerland-headquartered firm — which is said to serve 90% of the world’s airlines — had declined to reveal the specific data that had been compromised at the time of disclosure in early March, citing an investigation — which is still ongoing.

Air India said that it was first notified about the cyberattack by SITA on February 25, but the nature of the data was only provided to it on March 25 and April 5.

More TechCrunch

Get the industry’s biggest tech news, techcrunch daily news.

Every weekday and Sunday, you can get the best of TechCrunch’s coverage.

Startups Weekly

Startups are the core of TechCrunch, so get our best coverage delivered weekly.

TechCrunch Fintech

The latest Fintech news and analysis, delivered every Tuesday.

TechCrunch Mobility

TechCrunch Mobility is your destination for transportation news and insight.

Amazon hires founders away from AI startup Adept

Adept, a startup developing AI-powered “agents” to complete various software-based tasks, has agreed to license its tech to Amazon and the startup’s co-founders and portions of its team have joined…

YC alum Fluently’s AI-powered English coach attracts $2M seed round

There are plenty of resources to learn English, but not so many for near-native speakers who still want to improve their fluency. That description applies to Stan Beliaev and Yurii…

NASA and Boeing deny Starliner crew is ‘stranded’: “We’re not in any rush to come home”

NASA and Boeing officials pushed back against recent reporting that the two astronauts brought to the ISS on Starliner are stranded on board. The companies said in a press conference…

Forget the debate, the Supreme Court just declared open season on regulators

As the country reels from a presidential debate that left no one looking good, the Supreme Court has swooped in with what could be one of the most consequential decisions…

Android’s upcoming ‘Collections’ feature will drive users back to their apps

As Google described during the I/O session, the new on-device surface would organize what’s most relevant to users, inviting them to jump back into their apps.

Kleiner Perkins announces $2 billion in fresh capital, showing that established firms can still raise large sums

Many VC firms are struggling to attract new capital from their own backers amid a tepid IPO environment. But established, brand-name firms are still able to raise large funds. On…

DEI? More like ‘common decency’ — and Silicon Valley is saying ‘no thanks’

Welcome to Startups Weekly — Haje‘s weekly recap of everything you can’t miss from the world of startups. Sign up here to get it in your inbox every Friday. I…

HubSpot says it’s investigating customer account hacks

The company “identified a security incident that involved bad actors targeting a limited number of HubSpot customers and attempting to gain unauthorized access to their accounts” on June 22.

Volkswagen’s Silicon Valley software hub is already stacked with Rivian talent

VW Group’s struggling software arm Cariad has hired at least 23 of the startup’s top employees over the past several months.

All VCs say they are founder friendly; Detroit’s Ludlow Ventures takes that to another level

VCs Jonathon Triest and Brett deMarrais see their ability to read people and create longstanding relationships with founders as the primary reason their Detroit-based venture firm, Ludlow Ventures, is celebrating its 15th year in business. It sounds silly, attributing their longevity to what’s sometimes called “Midwestern nice.” But is it…

The White House will host a conference for social media creators

President Joe Biden’s administration is doubling down on its interest in the creator economy. In August, the White House will host the first-ever White House Creator Economy Conference, which will…

Pitch Deck Teardown: MegaMod’s $1.9M seed deck

In an industry where creators are often tossed aside like yesterday’s lootboxes, MegaMod swoops in with a heroic promise to put them front and center.

Google Gemini: Everything you need to know about the new generative AI platform

Google’s trying to make waves with Gemini, its flagship suite of generative AI models, apps and services. So what’s Google Gemini, exactly? How can you use it? And how does…

Who won the presidential debate: X or Threads?

There were definite differences between how the two platforms managed last night, with some saying X felt more alive, and others asserting that Threads proved that X is no longer…

Following raft of consumer complaints, Shein and Temu face early EU scrutiny of DSA compliance

Ultra-low-cost e-commerce giants Shein and Temu have only recently been confirmed as subject to centralized enforcement of the strictest layer of the European Union’s digital services regulation, the Digital Services…

Cold shipping might be the next industry that batteries disrupt

Artyc has raised $14 million to date and has a product on the market, Medstow Micro, that helps ship temperature-sensitive specimens.

Elevate your 2025 fundraising strategy at Disrupt 2024

Get ready to unlock the secrets of successful fundraising in the upcoming year at Disrupt 2024. Our featured session, “How to Raise in 2025 if You’ve Taken a Flat, Down,…

Remote access giant TeamViewer says Russian spies hacked its corporate network

The remote access giant linked the cyberattack to government-backed hackers working for Russian intelligence, known as APT29.

Here are the hottest product announcements from Apple, Google, Microsoft and others so far in 2024

We’ve poked through the many product announcements made by the biggest tech companies and product trade shows of the year, so far, and compiled them into this list.

Feather raises €6M to go Pan-European with its insurance platform for expats

As a foreigner, navigating health insurance systems can often be difficult. German startup Feather thinks it has a solution and raised €6 million to help some of the 40-plus million…

Rohlik rolls up $170M to expand in European grocery delivery and sell its tech to others

The salad days of fresh grocery delivery startups are over, but those that have stayed the course, and built businesses that are seeing gains, are still here and hungry for…

Robotics investments are gaining speed after post-pandemic slowdown

The first six months of the year have seen $4.2 billion invested in robotics, putting this year well on track to beat 2023’s 12-month total of $6.8 billion.

Hebbia raises nearly $100M Series B for AI-powered document search led by Andreessen Horowitz

Hebbia, a startup using generative AI to search large documents and return answers, has raised a nearly $100 million Series B led by Andreessen Horowitz, according to three people with…

Agility’s humanoid robots are going to handle your Spanx

Digit’s first job will be moving totes around a Connecticut Spanx factory — which is most definitely not a euphemism.

Will AI get an A+ in edtech? MagicSchool raises $15M to find out

These days, when you hear about students and generative AI, chances are that you’re getting a taste of the debate over the adoption of tools like ChatGPT. Are they a…

Zuckerberg disses closed-source AI competitors as trying to ‘create God’

In the conversation, Zuckerberg said there needs to be a lot of different AIs that get created to reflect people’s different interests.

Andrew Ng plans to raise $120M for next AI Fund

AI big shot Andrew Ng’s AI Fund, a startup incubator that backs small teams of experts looking to solve key problems using AI, plans to raise upward of $120 million…

VW taps Rivian in $5B EV deal and the fight over Fisker’s assets

Welcome back to TechCrunch Mobility — your central hub for news and insights on the future of transportation. Sign up here for free — just click TechCrunch Mobility! Am I…

FCC rule would make carriers unlock all phones after 60 days

Specifically, according to the FCC, carriers would simply have to provide unlocking services 60 days after activation.

As battery startups fail, Sila snaps up $375M in new funding

Amid a fraught environment for battery startups, Sila has raised $375 million to finish construction of a U.S. factory that will scale its next-generation battery technology for customers like Mercedes-Benz…

Media Coverage
Arbitration
Capital Markets & Securities
Competition & Anti-trust
Corporate Advisory
Corporate Governance
Corporate Restructuring
Debt Restructuring
Employment & Labour Laws
Entertainment & Media
Environment & Wildlife
Free ITR filing
Healthcare & Pharma
Hospitality
Immigration
Infrastructure
Insolvency & Bankruptcy
Intellectual Property
International Business
Investment Funds
Joint Ventures & Public Private Partnerships
Mediation & Conciliation
Mergers & Acquisitions
Private clientele
Private Equity
Public Policy
Real Estate
Regulatory Affairs
Risk Advisory
Technology & Data Protection
Telecommunications
White Collar Crimes
View All Expertise
Publici Juris
Podcast Episodes
Work with us
Partnerships

Air India Data Breach: A Legal Analysis

The past one year of pandemic has witnessed several cyber-attacks worldwide and India has been no different. India rather has been one of the worst hits of such Cyber Attacks. After one of the massive data breach incidents of MobiKwik, recently Air India announced that its servers were hacked leading to unethical access to their customer database. It further declared that approximately data of 45 lakh customers registered between 26th August 2011 and 3rd February 2021, has been sacrificed.

The information including name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit cards data has been compromised. It has however been clarified that CVV/CVC numbers were not held by data processor of Air India and thus, the key information for executing transactions is not stolen.

Relevant IT Provisions

In India, we do not have a separate branch of law that regulates data protection or penalizes failure to do so. The Information Technology Act, 2000 (“IT Act”) is the parent Act under which specific rules have been drafted.

Section 43A lays down that a body corporate shall be responsible for the implementation and maintenance of reasonable security practices and procedures and can be held liable for damages in case of negligence, where wrongful gain or wrongful loss is caused as a consequence of negligence.

The Information technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“SPDI Rules”) lay down the procedures to ensure safety and security of sensitive personal information. Under these Rules, an entity that collects personal information is required to publish a privacy policy stating the purpose for which such information is collected. They are also required to have reasonable security practices in place in order to maintain the confidentiality of the Information.

Under these SPDI Rules, the following form of data falls within the ambit of “Sensitive Personal Data or Information”:

Passwords;
Financial information such as Bank account or credit card or debit card or other payment instrument details;
Physical, physiological and mental health condition;
Sexual orientation;
Medical records and history;
Biometric information;
Any detail relating to the above clauses as provided to body corporate for providing service; and
Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

The SPDI Rules mandate that each Body Corporate shall provide policy for privacy and disclosure of information. This policy shall be compulsorily implemented wherein such Body Corporate collects, receives, possess, stores, deals or handles information of provider of information.

Under rule 5, a body corporate is required to obtain prior consent from the information provider regarding the purpose of usage of the SPDI. Such information should be collected only if it is essential and required for a lawful purpose connected with the functioning of the body corporate. Such body corporate shall also obtain prior permission before disclosing any such SPDI unless required under contract or law.

These Rules further make it mandatory for a body corporate to implement reasonable security measures in relation to the SPDI. These measures should commensurate with information being collected. The Rules provide “The international Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” as one such standard.

In cases of data breach, like in the present case of Air India, a person on its behalf shall now be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.

In case of data breach, the body corporate shall be liable to pay damages or compensation to affected persons where in the case its proven that such body corporate possessing SPDI was negligent in protecting such information.

The law further mandates that the data by such body corporates shall not be retained longer than required.

Data Protection Bill: The Way Forward

The Personal Data Protection Bill, 2019 (“the Bill”), has been put together by the committee constituted by the Ministry of Electronics & Information Technology, and chaired by Justice Srikrishna. The Bill shall be applicable to the processing of personal data that has been collected, disclosed, shared or otherwise processed within the territory of India. Further such Bill shall be applicable on government, any Indian Company, any citizen of India or any person or body of persons incorporated in India. However, in cases where a Foreign Company deals with personal data of individuals in India, the Bill shall be applicable.

Further, the Bill mandates that the data shall be collected for clear and lawful purposes and shall be deleted after the such purpose has been fulfilled. The Bill also constitutes a Data Protection Authority which shall ensure adherence to the provisions of the Bill, promote data protection awareness and adjudicates rights of individuals. The Bill imposes huge penalties (in Crores) where such data is not protected by the entity responsible (“data fiduciary”) or is processed without the consent of the individual.

The Bill seeks to solidify and implement stringent laws with regards to Data Privacy which, until now were only regulated by several loosely enforced regulations. The Bill is at par in its legal framework with the General Data Protection Regulation implemented in the European Union.

Conclusion

The August 2017 judgement of supreme court, in Puttuswamy v. Union of India , that declared the right to privacy as a fundamental right under the Constitution, set the ball rolling for implementation of Data Protection Laws. In current scenario, it would imply that any passenger’s privacy who travels by airlines and submits their data shall be subject to the prevailing privacy laws and it shall be regarded as their fundamental right. The airlines would need to comply with the laws before putting the passengers’ information to use or disclosing such information to a third party. Further, the airlines would also need to be responsible for protection of such information provided and also for putting the required infrastructure in place.

Protection of information is a challenge faced by the businesses which must be facilitated by technology. The organizations do not focus on preventing their data, which is the raw material on which the entire organizational machinery feeds.

It is a commonly known fact that putting the infrastructure for data protection in place comes with a heavy cost, but like its often said, “Prevention is better than Cure” , protection of data beforehand is a much less meticulous and expensive task than curing the effect of any data breach caused. With a team of experts, both in the field of technology and law, a full- proof data protection strategy can be implemented.

REACH OUT TO US

Nature of Query Legal Consultancy Career or Internship Customer Support Partnership Opportunity

Click here to allow us to call/write back to you.

Agree and proceed to website

How did Air India suffer a massive data breach and why should you be concerned about it?

Alan Joseph

There has been a lot of recent incidents related to data breaches from different companies which include the top companies in and around the country. The most recent data breach was reported by the well-known airline of India, Air India. Let’s look at the information about the data breach faced by the airline.

About the Air India Data breach What is SITA? Details of the Air India Data breach Steps taken by Air India after the Data Breach How does the Data breach Affects you? FAQ

About the Air India Data breach

Air India has conveyed that the data of millions of passengers have been compromised due to a cyber attack and it involves the personal data of the passengers registered between 26 August 2011 and 20 February 2021.

The airline has announced that the data breach had taken place due to a breach from the SITA passenger service system and the data breach involved the information of around 45 lakh passengers.

What is SITA?

SITA is a technology based company which is located in Switzerland. The company specializes in information technology and air transport communications. The country that was started with a 11-member airline now has a customer base of 2,500 customers in more than 200 countries across the globe.

Some of the services offered by the company include reservation systems, passenger processing, etc. In the year 2017 Air India had entered into a deal with SITA to enable the airlines to join Star Alliance by updating its IT infrastructure.

Details of the Air India Data breach

In the month of March, Air India had communicated that SITA had been under a cyberattack in the last week of February which led to the leakage of personal information of its passengers.

The company in a statement had mentioned that the data of around 45 lakh passengers have been compromised due to the cyber attack from across the world. The personal data that were registered in between 26 August 2011 and 20 February 2011 have been compromised .

The company has conveyed that the data that were breached during the cyber attack included the name, date of birth, contact details, passport information, ticket information, frequent flyer data and even the credit card information.

Steps taken by Air India after the Data Breach

The airlines have conveyed that it would launch an investigation into the incident. Other than this they have conveyed that, they have taken steps to secure the compromised servers, engaging certain external specialists of data security incidents, resetting passwords of its frequent flyer programme and contacting the credit card customers.

Global Average Total cost of Data breach

How does the Data breach Affects you?

This data breach would affect you as an individual only if you have used to airline services in between the mentioned dates. The important point is that the credit card information has also been compromised and it can be a threat to your credit card .

However, Air India has assured its passengers that they were no evidence of any misuse of the compromised data , the airline has asked everyone to change the passwords of their confidential data which includes your credit card password and frequent flyer programme.

What data got leaked in the Air India data breach?

The personal data of around 45 lakh passengers were leaked, which includes name, date of birth, contact details, passport information, ticket information, frequent flyer data and even the credit card information.

How did Air India faced a data breach?

Air India announced that the data breach had taken place due to a breach from the SITA passenger service system.

Who took over Air India?

Tata Sons Ltd were the frontrunner in acquiring Air India.

Cyberattacks have been reported frequently by different companies and are posing a serious threat towards the privacy of individuals. The rise in digitalization across the globe has led to an increase in the cyber crimes and cyber attacks by the criminals.

Must have tools for startups - Recommended by StartupTalky

Manage your business smoothly- Google Workspace

Cars24 Business Model | How Cars24 Make Money

The world of used cars, which is full of doubt and mistrust, has been waiting a long time for a game-changer. The game-changing factor was the arrival of Cars24, a pioneering eCommerce platform that revolutionized the used automobile market. Join us as we dive into a comprehensive analysis of the

Blinkit Business Model | How Blinkit Makes Money

Putting in an order for groceries was once considered the most difficult task. Shopping for groceries is becoming more pleasurable because of the development of "smart grocery stores" like Nature's Basket, Dmart, Reliance Mart, and others. But now that technology is driving more solutions, online grocery shopping is becoming increasingly

Lenskart Business Model | How Lenskart Makes Money

Approximately 64 percent of adults around the world need corrective lenses to see clearly, according to recent studies. Envisioning a society where selecting the ideal eyewear is both a vital must and a truly enjoyable activity. This ambition has come true thanks to Lenskart, an industry pioneer. Both customers' perception

Top 22 Courier & Delivery Franchise Businesses in India

The growth of the e-commerce industry impacted the courier business. Due to more shopping in the eCommerce platform courier business is becoming one of the fastest-growing markets in India nowadays. Courier and delivery companies provide various services starting from the online courier and cargo marketplace and finishing with logistics. There

Search form

Air india data breach exposes india's cybersecurity deficiencies.

BY Jatinder Singh

Jun 02, 2021

India is swiftly becoming one of the favorite hunting spots for cybercriminals. It's time the country takes concrete measures to secure the personal data of its citizens.

Air India data breach exposes India's cybersecurity deficiencies - CIO&Leader

The country's national carrier, Air India, recently disclosed an infringement on its passenger service system that compromised the personal data – including date of birth, contact particulars, passport, and credit card details – of 45 lakh passengers.

The attack was part of well-coordinated hack series on the passenger service system servers of Société Internationale de Télécommunications Aéronautiques (SITA). This global ICT solution provider delivers services to 90% of the worldwide aviation industry. The data security incident impacted several international airlines, such as Singapore Airlines, Lufthansa, Malaysian Airlines, and Finnair. The level of data breach impact varied from one airline to another.

Data breach response plan

While the Geneva-based solution provider had informed about this incident to all its customers in February 2021, for a bizarre reason, Air India did not feel the urgency to advise its customers on taking necessary precautions such as changing account passwords.

Once again, the incident has revealed India's delayed approach to responding to a cybersecurity urgency and prevalent deficiencies in its IT governance model. It may not be possible to control all network intrusion incidents, impacting even those organizations that deploy robust security solutions and tools. However, companies must provide a roadmap once the breach is discovered and help minimize the damage incurred. Setting up a robust incident response plan is critical. It should be in place to examine the violation, find reasons for the security breach, urgent steps to limit the damage, and efforts needed to beef up the security.

In this case, most of the impacted airline carriers globally immediately informed their travelers about the data breach and the recommended action steps when the incident came to light. Air India surprisingly took almost three months to notify its customers whose data was compromised.

One may argue that the national carrier was ascertaining the level and scope of the data security attack and wanted to know the full details of travelers whose data was compromised. But in any cybersecurity breach, timely action can help activate a successful incident response mechanism, something which Air India could not do.

Growing incidents a colossal concern

Ever since the COVID-19 pandemic began, there has been a steep rise in the cases related to data breaches in India. In an era where companies are growing their digital footprints and remote-working has become a new norm, endpoint abuse has increased multiple times among enterprises of all sizes.

According to IBM Security's annual Cost of Data Breach report, which covered 524 organizations globally, India reported the second most cyberattacks after Japan in the Asia Pacific region in 2020. With almost a 10% increase, the financial impact of these breaches was about INR 140 million. More than the financial loss, such violations can make a severe dent in business reputation, and influence customer trust.

In Nov 2020, online grocer, Bigbasket, came to know about a major data breach on its network when it found leaked data of its two crore customers was up for sale for INR 30 lakh on the Dark Web. In May 2020, Bangalore-based learning platform, Unacademy's corporate data, the details of its 20 million user accounts, was hacked and being sold on the Dark Web for about INR 1.5 lakh.

Pizza restaurant chain, Domino’s Pizza, became the latest victim of an enormous data breach, compromising the credit card details, name, mobile numbers, and location history of its 180 million customers.

In the post-covid era, hackers are expected to get even more innovative. With the number of unsecured endpoints increasing, coupled with enterprises focusing on integrating their processes with new-age technologies, networks are becoming more susceptible and need significant investment and research efforts.

The urgency of strong data protection law

In the current digital age, modern security threats are becoming complex. While organizations need to invest significantly in their research and technology capabilities to mitigate such breaches, the Indian government also needs to expedite the process to introduce strong data security laws. Like European Union's GDPR law, Indian data protection laws also need to classify privacy as a fundamental right.

The absence of a proper legislative framework makes it difficult for Indian citizens to get clarity around their rights in case of any violation of their privacy. The country that aims to become the IT superpower has been waiting for express legislation, data protection bill, that deals with data protection.

For instance, if we had the robust data protection bill, a national carrier like Air India would have been bound to notify its flyers about the data breach incident in a specific timeframe. In most advanced countries, companies are required to undertake necessary actions within 72 hours of becoming aware of the data breach incident. Any inefficiency may result in significant fines.

The Personal Data Protection Bill, proposed in 2017, needs urgent implementation with solid parameters to define user privacy. In the digital economy, data is the goldmine that gives companies an edge to build great products and services. If the same data continues to be compromised for malicious and exploitive purposes, consumers' trust in the new shining digital economy will get weakened.

Add new comment

More information about text formats

No HTML tags allowed.
Web page addresses and e-mail addresses turn into links automatically.
Lines and paragraphs break automatically.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Get Newsletter

Stay informed on our latest news!

Get Magazine

International
Today’s Paper
T20 World Cup
Express Shorts
Mini Crossword
Premium Stories
Health & Wellness

Explained: What is the Air India data breach that has hit its customers?

Air india data breach: the airline said the cyber-attack that compromised the data of millions of passengers from across the world involved personal data registered between august 26, 2011 and february 20, 2021..

National carrier Air India has notified its passengers of a data breach that occurred in February at the SITA passenger service system. The airline said the breach involved data of 45 lakh passengers being leaked.

Newsletter | Click to get the day’s best explainers in your inbox

What is SITA and how is Air India involved?

SITA is a Switzerland-based technology company specialising in air transport communications and information technology. The company was started by 11 member airlines and now has over 2,500 customers in more than 200 countries. SITA offers services such as passenger processing, reservation systems, etc.

Air India had entered into a deal with SITA in 2017 to upgrade its IT infrastructure to enable it to join Star Alliance.

At Air India, SITA also implemented an online booking engine, departure control system, check-in and automated boarding control, baggage reconciliation system and the frequent flyer programme.

Tajikistan hijab ban: With 90% Muslim population, why this decision was made
18th Lok Sabha session begins: How do MPs take oath?
Explained: What is the GST Council, and what does it do?

What are the details of the Air India data breach?

In March, Air India had said that SITA had flagged a cyber-attack it was subjected to in the last week of February and said it led to the leak of personal data of some of the airline’s passengers.

In its notification to the affected passengers, the airline said that the cyber-attack that compromised the data of millions of passengers from across the world involved personal data registered between August 26, 2011 and February 20, 2021. It said the breached data included the passenger’s name, date of birth, contact information, passport information, ticket information, frequent flyer data and credit card information.

How did Air India respond to the incident?

Following the incident, Air India said it took a number of steps. These include securing the compromised servers, engaging external data security specialists, notifying the credit card issuers and reseting the passwords of Air India frequent flyer programmes. While Air India assured its passengers that there was no evidence of any “misuse” of the data, it said it was in talks with regulatory agencies in India and overseas and also advised the passengers to change their passwords.

Kalki 2898 AD movie review: This may have Prabhas as the headliner, but it is Amitabh Bachchan all the way.

Bachchan overshadows Prabhas in Kalki 2898 AD

Curtain call for change: The fight for LGBTQ+ stories in

Indian textile ikat was first discovered in an Egyptian pharaoh's

Lupita Nyong'o is brilliant in A Quiet Place Day One

Books to read: The Caste of Food

Milind Soman, his wife Ankita Konwar and his mother Usha Soman (Express photo by Sankhadeep Banerjee)

Why Milind Soman says that fitness is personal in the Subscriber Only

'For our own poetry, we need to save our mother Subscriber Only

Paradise among the finest films of the year

Garam masala: Bringing a little heat into the kitchen and

Express Explained

Quota seats - Union Minister of State Anupriya Patel letter to UP CM Yogi Adityanath

Union Minister of State and Apna Dal (Soneylal) chief Anupriya Patel has written a letter to Uttar Pradesh Chief Minister Yogi Adityanath urging him to check posts reserved for OBCs and SC/STs becoming available to general category.

More Explained

The East Coast Rail Link (ECRL), a mega rail project in Malaysia being built by the China Communications Construction Company (CCCC), seeing its first tracks being laid in December 2023.

Best of Express

Manipur, N Biren Singh delhi visit, N Biren Singh nda meet, Manipur violence, Manipur protests, Manipur news, N Biren Singh, manipur government, Manipur deaths, Manipur violence deaths, India news, Indian express, Indian express India news, Indian express India

EXPRESS OPINION

Jun 29: Latest News

01 Macron weakened at home and abroad as an early French election gives the far right momentum
02 US Supreme Court curbs federal agency powers, overturning 1984 precedent
03 Athletics: Parvej Khan, who lit up America’s college circuit, is a showman on the track and a humble hard worker off it
04 Another Zika virus case detected in Pune
05 UGC NET 2024: NTA announces new date for June session exam
Elections 2024
Political Pulse
Entertainment
Movie Review
Newsletters
Web Stories

Artificial Intelligence
Generative AI
Business Operations
IT Leadership
Application Security
Business Continuity
Cloud Security
Critical Infrastructure
Identity and Access Management
Network Security
Physical Security
Risk Management
Security Infrastructure
Vulnerabilities
Software Development
Enterprise Buyer’s Guides
United States
United Kingdom
Newsletters
Foundry Careers
Terms of Service
Privacy Policy
Cookie Policy
Member Preferences
About AdChoices
E-commerce Links
Your California Privacy Rights

Our Network

Computerworld
Network World

Air India data breach highlights concerns around third-party risk and supply-chain security

The attack on one of air india’s service providers shows why third-party risk management is just as important as managing organizational risk..

Fragmented image of a Boeing 787 airplane represented in encrypted data.

A cyberattack on systems at airline data service provider SITA has resulted in the leaking of personal data of 4.5 million passengers worldwide, Air India told its customers earlier this month. The data breach highlights the risk posed to airlines and their customers of third-party IT systems.

SITA first notified the airline of the breach on February 25, 2021, but it wasn’t until March 19 that Air India disclosed it on its website. And while Air India received further details of the extent of the breach on March 25 and April 5, it waited until May 15 before passing them on to its customers.

The compromised dataset comprises passenger information collected between August 26, 2011 and February 3, 2021. It includes names, contact information, dates of birth, passport details, ticket information, and credit card details—although the Card Verification Values (CVVs) of the compromised cards are not stored by the system, Air India said.

Since the breach was disclosed, SITA has reported no unauthorized activity in the passenger service system’s infrastructure.

The incident is the second major data breach to affect an Indian airline in the last two years. In January 2020, a security researcher revealed that SpiceJet suffered a data breach that led to the compromise of 1.2 million passenger records.

Growing concerns around third-party risk management

The Air India data breach is not a standalone incident. The cyber-attack on SITA’s passenger service system affected Singapore Airlines, Lufthansa, Malaysia Airlines and Cathay Pacific as well.

Following the breach disclosure, security experts have highlighted the criticality of managing third-party risks and securing the supply chain.

David Sygula, senior cybersecurity Analyst as CybelAngel, explained that as organizations are relying on cloud providers to drive digital transformation, managing third-party risk is critical in the present day.

“Organizations must constantly scan for leaked documents outside the enterprise perimeter, including connected storage, open databases, cloud applications, and the dark web to uncover confidential and sensitive data quickly, before it is exploited,” he said.

Almost all recent data breaches can be attributed to either shortcomings in technology or in user behavior. As Dipesh Kaura, general manager at Kaspersky (South Asia) explains, “While enterprises build a robust security infrastructure for their networks, they often fail to protect themselves from the two other equally important aspects: human error and third-party service providers.”

While airline companies deploy state-of-the-art firewalls and set up next-gen security practices, Sonit Jain, CEO of GajShield Infotech believes they turn a blind eye to managing vulnerabilities and risk stemming from supply chain systems and third-party data processors.

“Though no airline systems were directly attacked, it raises concern on how cyber attackers are finding it easy to use third-party services and product providers, rather than spend effort and time penetrating the cyber defenses of an enterprise,” he said.

Security audits are no silver bullet

In 2016, Air India stated that its cybersecurity infrastructure would be augmented with the implementation of the National Critical Information Infrastructure Protection Center (NCIIPC) recommended framework. Additionally, the airline said that committees would be formed to assess and mitigate any security incidents and oversee the progress of policy implementation.

However, none of these measures could thwart the data breach, and is further proof that testing for vulnerabilities and assessing risks cannot be left to auditors and regulators.

“First and foremost organizations constantly neglect to implement basic security controls; these defects are then not detected by auditors and regulators. Secondly the lack of adequate monitoring and detection means that security breaches go unnoticed for months,” said David Spinks, chairman and moderator of Global Digital Identity (GDI).

Lessons for airline CISOs

For Kaura, it’s evident that humans are the weakest link in the cybersecurity ecosystem, and therefore it’s important for organizations to train their non-IT staff and make them aware of phishing, malware, and brute force attacks.

For Sonit Jain, on the other hand, it’s prudent to limit the amount of data shared with third-party vendors.“You need to be as diligent with third parties as you are with your own enterprise. Any weakness in this link will only weaken your enterprise security,” he said.

In addition to this, he believes organizations shouldn’t lock on to a single vendor and that it’s essential to plan an exit strategy. It would also help if employees of the partner company follow the same policies as the organization’s own employees.

The Air India security incident serves as a good learning for airline companies not only in India, but also across the globe, given the reliance on third-party data processors and supply chain vendors.

More from this author

The biggest data breaches in india, gomeet pant joins abb as vice president and global head of infosec services, personal information and exam results of 1.9 lakh cat aspirants leaked on dark web, payment companies should open up about breach allegations, says npci ciso, upstox shows mobikwik how to manage a data breach incident, redecho taps into india’s power grid, getting the right certifications: advice from indian csos, airtel denies hackers’ claim of data breach involving 2.5 million customers’ records, most popular authors.

Show me more

Download our endpoint detection and response (edr) buyer’s guide.

Infinidat Revolutionizes Enterprise Cyber Storage Protection to Reduce Ransomware and Malware Threat Windows

Microsoft warns of novel jailbreak affecting many generative AI models

CSO Executive Sessions India with Hilal Lone, CISO, Razorpay

CSO Executive Sessions: The new realities of the CISO role - whistleblowing and legal liabilities

CSO Executive Sessions India with Pradipta Kumar Patro, Global CISO and Head IT Platform, KEC International

CSO Executive Session India with Hilal Lone, CISO, Razorpay

Air India data breach impacts 4.5 million customers

Sergiu gatlan.

May 21, 2021

Air India data breach impacts 4.5 million customers

Air India disclosed a data breach after personal information belonging to roughly 4.5 million of its customers was leaked two months following the hack of Passenger Service System provider SITA in February 2021.

The Indian national carrier first informed passengers that SITA was the victim of a cyberattack on March 19.

"This incident affected around 4,500,000 data subjects in the world."

The airline added that the breach impacted the data of passengers registered between August 2011 and February 2021.

Nevertheless, after investigating the security incident, it was found that no credit card information or password data was accessed during the breach.

However, Air India urges its passengers to change their credentials to block potential breach attempts and ensure their data security.

"The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data," Air India added [PDF].

"However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor."

The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate the continued support and trust of our passengers. — Air India

Data breach impacts Star Alliance members

Almost a dozen more air carriers besides Air India informed passengers that some of their data was accessed during a breach of SITA's Passenger Service System (PSS), which handles transactions from ticket reservations to boarding.

SITA also confirmed the incident saying that it reached out to affected PSS customers and all related organizations in early March.

At the time, a SITA spokesperson told BleepingComputer that the breach impacts data of passengers from multiple airlines, including:

Lufthansa - combined with its subsidiaries, it is the second-largest airline in Europe in terms of passengers carried; Star Alliance member and Miles & More partner
Air New Zealand - flag carrier airline of New Zealand
Singapore Airlines - flag carrier airline of Singapore
SAS - Scandinavian Airlines (disclosure here );
Cathay Pacific - flag carrier of Hong Kong
Jeju Air - the first and largest South Korean low-cost airline
Malaysia Airlines - flag carrier airline of Malaysia
Finnair - flag carrier and largest airline of Finland

Some of these air carriers (including Air India) are part of the Star Alliance , a global airline network with 26 members, including Lufthansa, the largest in Europe.

Star Alliance told BleepingComputer that its members also share customer details relevant to awarding traveling benefits.

The information is limited to membership names, frequent flyer program membership numbers, and program tier status.

Infosys McCamish says LockBit stole data of 6 million people

Dairy giant Agropur says data breach exposed customer info

Los Angeles Unified School District investigates data theft claims

PandaBuy pays ransom to hacker only to get extorted again

Australian mining company discloses breach after BianLian leaks data

Data Breach
Previous Article
Next Article

Help us understand the problem. What is going on with this comment?

Abusive or Harmful
Inappropriate content
Strong language

Read our posting guidelinese to learn what content is prohibited.

We've detected unusual activity from your computer network

To continue, please click the box below to let us know you're not a robot.

Why did this happen?

Please make sure your browser supports JavaScript and cookies and that you are not blocking them from loading. For more information you can review our Terms of Service and Cookie Policy .

For inquiries related to this message please contact our support team and provide the reference ID below.

45 Lakh Affected In Massive Air India Data Breach Including Credit Cards

Air india data breach: names, date of birth, contact information and ticket information have also been compromised in the attack that targetted geneva-based passenger system operator sita..

Air India customers registered with the airline between 26th Aug 2011 and 3rd Feb 2021 were affected.

Ten years' worth of Air India customer data including credit cards, passports and phone numbers have been leaked in a massive cyber-attack on its data processor in February, the airline has announced.

The incident has affected around 45 lakh customers registered between 26th August 2011 and 3rd February 2021, Air India said, disclosing the scale of the breach nearly three months after it was first informed of it.

Names, date of birth, contact information and ticket information have also been compromised in the 'highly sophisticated' attack that targeted Geneva-based passenger system operator SITA that serves the Star Alliance of airlines including Singapore Airlines, Lufthansa and United besides Air India.

"SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world," Air India said in an email to customers.

"While we had received the first notification in this regard from our data processor on 25.02.2021, we would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25.03.2021 and 5.04.2021," it added.

"The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data. However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor," the airline said.

Air India data breached in a major Cyber attack. Breach involves Passengers personal Information including Credit Card Info and Passport Details. Other Global Airlines are likely affected too. #airindia #CyberAttack @airindiain @rahulkanwal @sanket @maryashakil pic.twitter.com/XxUORgInJQ — Jiten Jain (@jiten_jain) May 21, 2021

Air India said it had launched an investigation into the incident and took steps including securing the compromised servers, engaging external specialists of data security incidents, contacting credit card issuers and resetting passwords of its frequent flyer programme.

"While we and our data processor continue to take remedial actions...We would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data," it said.

SITA had publicly announced the incident first in March prompting almost a dozen different airlines including Singapore Airlines and Malaysia Airlines to inform passengers that some of their data was accessed by an intruder.

Promoted Listen to the latest songs, only on JioSaavn.com

Last year British Airways incurred a 20 million-pound (over Rs 180 crore) fine after failing to protect data that left more than 4 lakh of its customers' details the subject of a 2018 cyber-attack.

Other major cyber incidents in the recent past include another London-listed airline, easyJet, which last year said hackers had accessed the email and travel details of around 90 lakh customers .

''Will Take A Bullock Cart...'': Pune Author Vows To Never Fly With Air India Express, Airline Responds

Track Budget 2023 and get Latest News Live on NDTV.com.

Track Latest News Live on NDTV.com and get news updates from India and around the world .

India Elections | Read Latest News on Lok Sabha Elections 2024 Live on NDTV.com . Get Election Schedule , information on candidates, in-depth ground reports and more - #ElectionsWithNDTV

Watch Live News:

WHAT WE OFFER

Key management, crypto key management and crypto service gateway, crystalkey 360, mobile application security, digital identities & signatures, managed signing services, payment application manager, pin manager, transaction manager, customer stories, air india's data breach - data security is more crucial than ever..

Dawn M. Turner (guest) : 25. June 2021

Air India's Data Breach - data security is more crucial than ever.

Recent global events have demonstrated that high-profile hackers and state-sponsored security breaches have been steadily increasing since 2020. It is quickly becoming clear that no industry is immune to becoming a victim of a data breach, including the airline industry, where the safety of crew and passengers is jeopardised.

The world was shocked by the recent seizure of a civilian Ryanair jet over Belarus airspace on May 23, 2021, en route to Lithuania from Greece. For those unaware of this incident, the passenger jet was forced by a Belarusian fighter jet to divert to Minsk under the pretense of having a bomb on board. Instead, Belarus’ KGB security operatives were on the hunt for a known dissident, journalist Roman Protasevich, a prominent critic of Alexander Lukashenko, Belarus’ authoritarian leader.

The Belarus incident alone is sufficient to emphasise the importance of safeguarding passenger data from third parties, whether hackers or dangerous dictators. Worryingly, this is not the first instance of a data security breach in the airline industry in the last year. It was recently announced that Air India had suffered a massive data breach that compromised flyer data from August 2011 to February 2021. If nothing else, this news emphasises the importance of keeping passenger data secure through compliance with major data security rules.

What is Known about Air India’s Data Breach

Air India announced in May 2021 that its customer database had suffered a massive security breach. It informed its affected passengers that the “breach involved some personal data registered between August 2011 and February 2021” and that “no password data was affected.”

Approximately 4.5 million records may have been leaked in this massive security breach. Leaked data included passengers’:

Contact information
Date of birth
Ticket information
Passport information
Credit card data
Frequent flyer data

The circumstances surrounding Air India's security breach are unclear. The breach was discovered during a recent cybersecurity attack on the airline's third-party data processor, SITA PSS, which handles the storage and processing of passengers' personal information in the cloud.

Air India has stated that it first received notice of the breach from its data processor on February 25, 2021. However, they were not advised of the identities of the affected passengers until March 25 and April 5. The airline claims that no password data was breached. It further claimed that credit card data was not breached, and its data processor did not retain CVV/CVC numbers.

Air India Response to the Security Breach

In its response to its massive security breach, Air India announced it took the following steps to ensure passenger data safety by:

Investigating the security breach
Securing the servers that were compromised
Working with external data security incident specialists
Notifying and working with credit card issuers
Resetting passwords for its Frequent Flyer program

The airline further stated:

Further, our data processor has ensured that no abnormal activity was observed after securing the compromised servers. While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data. The protection of our customers’ personal data is of highest importance to us, and we deeply regret the inconvenience caused and appreciate continued support and trust of our passengers.

What Needs to Be Done to Protect Business and Customer Data

The Air India security breach was India’s second major airline data breach within six months. In December, IndiGo’s servers were hacked , and the airline announced that it was possible that the stolen information could be uploaded on public websites and platforms by hackers.

The number of security breaches grew exponentially during the COVID-19 pandemic and continues with no stop in sight post-pandemic. Let’s also consider the recent high-profile attacks that have threatened critical infrastructures, such as the cyberattacks on the Colonial Pipeline in the United States and the world’s largest meat supplier JBS . No company is immune from falling victim to a cyberattack.

The question is whether companies like Air India and others are doing enough from a data security and data privacy point of view to protect themselves and their customers that put their trust in them. It is of the utmost importance that organizations take further steps to bulletproof their data from cyberattacks, especially if they are using external third-party services.

Compliance with best-practice data security guidelines and international standards is a significant step to prevent future breaches. Additionally, to mitigate the potential damage of breaches that may occur, it is of utmost importance that an organisation employs a strong encryption strategy and operational processes. To prevent unencrypted data being accessed by unauthorized parties, Air India must take steps to ensure that:

Its data remains encrypted while at rest in its databases.
Its data remains encrypted while in transit while it migrates between clients, applications, and Air India personnel.
The HSMs must not be accessible by the third-party data processor.
Only Air India performs all key management.
Its encryption keys must never be with its third-party data processor and must remain stored in Air India’s vaulted data center.
Third parties will not have access to readable data.
The mandatory multifactor authentication of clients is implemented to generally limit the access to data to only authorized persons like passengers who can only view their personal data.

These steps towards best practice emphasizes the need for strong cryptography (using HSMs) and lifecycle key management - to enable a business to be confident that its sensitive data is (at rest or in use) is protected against breaches - so confidential data remains encrypted regardless of whether attackers gain access to it.

References and Further Reading

Cloud Threat Report 2020 (2020), by Oracle Corporation & KPMG International Limited
Selected articles on Bring Your Own Key (2017 - today), by Matt Landrock, Stefan Hansen, Ulrich Scholten and more

Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more

Selected articles on Key Management in the Cloud (2017-today) by Edlyn Teske, Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more
Key Management in a Multi-Cloud Environment - A blessing or a curse? (2017), by Johannes “Jo” Lintzen
Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs
Buyer's Guide to Choosing a Crypto Key Management System; Part 2: The Requirement for a Key Management System (2018), by Rob Stubbs
Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs

NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker

CKMS Product Sheet (2016), by Cryptomathic

The Economic Times daily newspaper is available online now.

Air india server hacked; data of 4.5 million consumers compromised.

“This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world,” the national carrier said in a statement.

To post this comment you must

Fill in your details:

Will be displayed

Will not be displayed

Share this Comment:

Uh-oh this is an exclusive story available for selected readers only..

Worry not. You’re just a step away.

Prime Account Detected!

It seems like you're already an ETPrime member with

Log out of your current logged-in account and log in again using your ET Prime credentials to enjoy all member benefits.

To read full story, subscribe to ET Prime

₹34 per week

Billed annually at ₹2499 ₹1749

Super Saver Sale - Flat 30% Off

On ET Prime Membership

Unlock this story and enjoy all members-only benefits.

Offer Exclusively For You

Save up to Rs. 700/-

ON ET PRIME MEMBERSHIP

Get 1 Year Free

With 1 and 2-Year ET prime membership

Get Flat 40% Off

Then ₹ 1749 for 1 year

ET Prime at ₹ 49 for 1 month

Monsoon Offer

Get flat 20% off on ETPrime

90 Days Prime access worth Rs999 unlocked for you

Exclusive Economic Times Stories, Editorials & Expert opinion across 20+ sectors

Stock analysis. Market Research. Industry Trends on 4000+ Stocks

Get 1 Year Complimentary Subscription of TOI+ worth Rs.799/-

Stories you might be interested in

Air India says February’s data breach affected 4.5 mln passengers

Medium Text

An Air India Airbus A320 plane is seen at the Boryspil International Airport outside Kiev

Reporting by Arunima Kumar in Bengaluru; Editing by Amy Caren Daniel

Our Standards: The Thomson Reuters Trust Principles. New Tab , opens new tab

Women board a Foxconn factory bus near the village of Molachur

World Chevron

Closing session of the National People's Congress (NPC) in Beijing

China tightens law on handling disasters including information flows

China tightened controls on handling accidents and disasters, increasing penalties on authorities that respond poorly and tightening government surveillance of media reporting on emergencies.

Bolivian General Juan Jose Zuniga is presented following his arrest by the authorities for a coup attempt in La Paz

Bihar Board

WB 10th PPS/PPR Results

James dyson award, sanskriti university, srm university.

Education News
Web Stories
Current Affairs
Short Videos
School & Boards
College Admission
Govt Jobs Alert & Prep
GK & Aptitude
current affairs
National | India Current Affairs

Air India Cyber-Attack: Massive data breach leaks personal details of 45 lakh customers

The cyber-attack leaked ten years of customer data including credit cards, phone numbers, and passport details of 45 lakh customers. read all you need to know..

Air India on May 21, 2021, reported a massive cyber-attack in February 2021 that leaked ten years of customer data including credit cards, phone numbers, and passports details of 45 lakh customers.

Air India in personal communication with the customers whose details got compromised in the cyber-attack said, “As part of our commitment, we would like to inform you that SITA PSS, our data processor of the passenger service system, recently notified Air India of a data security breach involving personal data of certain passengers, including yours.”

The breach targeted the personal details of passengers between August 26, 2011, and February 20, 2021, which included name, contact information, date of birth, ticket information, frequent flyer data, passport information, and credit card details. However, the data processer SITA PSS does not store CVV or CVC numbers, the airline assured.

The Indian airline further informed that Air India received the identities of the customers affected in the breach between March 25 and April 5, 2021.

The airline is investigating the breach and securing the compromised servers, and resetting passwords of the frequent flyer program. Meanwhile, the company also asks the affected customers to change their passwords wherever applicable.

Other cyber-attacks on airlines

•British Airways in 2020 had incurred a 20 million pound fine after its failed attempt at protecting the data of more than 4 lakh of its customers.

What is cyber-attack?

•Cyber-attack is a deliberate malicious attempt by individuals or organizations to breach into the system of another company or individual to seek confidential or personal data.

What is cyber-security?

•Cyber-security comprises practices, technologies, processes designed to protect cyberspace and networks from cyber-attacks.

Cyber-Security Laws in India

•Information and Technology Act, 2000 (also known as Indian Cyber Act)

•Information and Technology Amendment Act, 2008 (ITAA)

•National Cyber Security Strategy, 2020

•Cyber Surakshit Bharat Initiative

Take Weekly Tests on app for exam prep and compete with others. Download Current Affairs and GK app

Hindi Current Affairs
Current Affairs One Liners
International Current Affairs
Daily Current Affairs Quizzes
Economics Current Affairs
Monthly Current Affairs
National Current Affairs
Sports Current Affairs
Science & Tech Current Affairs
RBSE Result 2024
May 2024 Current Affairs
Current Affairs for Bank Exams
Current Affairs for Civil Services Exam
Current Affairs for MBA Exam
Current Affairs for SSC Exams

Latest Education News

T20 World Cup Winners List: भारत सहित किस देश ने कब जीता टी20 वर्ल्ड कप का टाइटल, देखें पूरी लिस्ट

T20 World Cup 2024 Commentators List: हिंदी कमेंट्री पैनल में शामिल है ये भारतीय दिग्गज, देखें पूरी सूची

T20 World Cup 2024 Semi Final: जीत से बस एक कदम दूर 'हिटमैन' के चैंपियन, दो अजेय टीमें पहली बार फाइनल में

T20 World Cup 2024: IND vs SA भारत के 'हिटमैन' और अर्शदीप, दक्षिण अफ्रीका के डी कॉक और नॉर्टजे चमके

Arundhati Roy Awarded 2024 PEN Pinter Prize Amid UAPA Controversy

SSC MTS 2024 Notification Out at ssc.gov.in: Apply Online for 8326 MTS & Havaldar Posts, Check Exam Date

SSC CPO Expected Cut Off 2024: Tier 1 Category-wise Minimum Qualifying Marks

CBSE Class 10 Hindi A Syllabus 2024-25: Download PDF

RBSE Class 12 Syllabus 2024-25: Download Subject-Wise Syllabus PDF

Today’s School Assembly Headlines (29 June): President of the Maldives, Hemant Soren, Delhi Airport, Biden, Trump, T20, Shafali Verma, Current Affairs and Other News in English

Genius IQ Test: Only geniuses can solve this math puzzle in 10 seconds!

Today Current Affairs One Liners: 28 June 2024- Next President of the European Council

Today Current Affairs Hindi One Liners: 28 जून 2024- यूरोपीय परिषद के अगले अध्यक्ष

SGGCG Result 2024 OUT at sggcg.in, Direct Link to Download Sarguja University UG and PG Marksheet

Optical Illusion IQ Test: Use Your Exceptional Pattern Recognition Skills To Spot The Bicycle In 12 Seconds!

Picture Puzzle IQ Test: Use Your Razor-Sharp Mind To Spot The Needle In This Ballet Room In 12 Seconds!

Picture Puzzle IQ Test: Only The Sharp-Eyed Can Find The Wallet In This Dinner Scene In 12 Seconds!

India vs South Africa World Cup 2024 Final: Complete Squad, Captain, All-Rounder, Batsmen and Bowler

XAT Exam Pattern 2025; Check Latest Pattern and Marking Scheme

BPSC Assistant Professor Eligibility Criteria 2024: Age Limit, Qualifications and More

Business Today
India Today
India Today Gaming
Cosmopolitan
Harper's Bazaar
Brides Today
Aajtak Campus

Budget 2024
Magazine Cover Story Editor's Note Deep Dive Interview The Buzz
BT TV Market Today Easynomics Drive Today BT Explainer
Market Today Trending Stocks Indices Stocks List Stocks News Share Market News IPO Corner
Tech Today Unbox Today Authen Tech Tech Deck Tech Shorts
Money Today Tax Investment Insurance Tools & Calculator
Mutual Funds
Industry Banking IT Auto Energy Commodities Pharma Real Estate Telecom
Visual Stories

INDICES ANALYSIS

Mutual funds.

Cover Story
Editor's Note
Market Today
Drive Today
BT Explainer
Trending Stocks
Stocks List
Stocks News
Share Market News
Unbox Today
Authen Tech
Tech Shorts
Tools & Calculator
Commodities
Real Estate
Economic Indicators
BT-TR GCC Listing

Air India data breach: Login ids, passwords of airline's B2B customers compromised

It is not the first time that air india’s data has been compromised. there were reports in february 2021, that stated hackers stole the personal data of 4.5 million air india passengers..

Updated Sep 09, 2022, 12:56 PM IST

If you flew Air India, your data could be compromised

Days after Akasa Air’s data breach incident, now Air India’s data has also been compromised. The airline has sent emails to its B2B customers stating the compromise of login user IDs and passwords of a limited number of B2B clients. This data compromise happened at Air India GST portal which is provided by Accelya Solutions Ltd.

The compromised user IDs and passwords have been used by an unauthorised party to access their GST invoices and publish them in the public domain stating the email was issued by the company.

The email accessed by Business Today also stated that having noticed this incident, Air India has taken immediate steps with the service provider to change the access credentials of all user IDs for the GST portal.

Responding to Business Today’s query, an Air India spokesperson said “An outsourced external agency has experienced data breach of their systems, which compromised some information regarding Air India’s agents. We would like to state that no data related to any passenger or customer of Air India has been affected by this breach at the external agency's end."

The spokesperson further said: "Air India has taken immediate action and reached out to all the B2B clients besides alerting the external agency to take corrective measures. Action on resetting of passwords has already been taken and a 2-factor password authentication has already been implemented. Air India has pulled out all stops to ensure that corrective and preventive measures are strictly adhered to by this external agency to mitigate any such breach in future.”

It is not the first time that Air India’s data has been compromised. There were reports in February 2021, that stated hackers stole the personal data of 4.5 million Air India passengers.

Given the rising incidents of data breach incidents in the country, the Indian government is trying to tighten the norms with the new cybersecurity directive issued recently which mandates all companies to report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. This stringent guideline is significantly shorter in comparison to that in the EU, where data breach incidents have to be reported within 72 hours.

#Akasa Air’s data breach incident
#Air India’s data compromised
#B2B customers
#GST portal
#Accelya Solutions Ltd
#GST invoices
#public domain
#Air India passengers

Air India Data Breach – Burning Issues – Free PDF Download

Table of Contents

What has happened?

The servers of Air India were recently hacked, leading to the unethical access of personal information related to scores of passengers, the national carrier said in a statement issued on May 21.
The information stored on the passenger service system includes credit card and passport details.
The cyberattack on Air India , according to the airline, has affected the data of around 45 lakh flyers around the world.
“ Our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers.
This incident affected around 4,500,000 data subjects in the world,” said the statement issued by Air India.

What type of data & FROM WHEN?

The breach involved personal data registered between 26th August 2011 and 20th February 2021,
With details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit cards data.

Credit card also?

The airline, while admitting that details of credit card have also been breached, clarified that the CVV/CVC numbers – which are key to execute transactions – were not held by its data processor.
Also passwords data were not affected.
“While we and our data processor continue to take remedial actions…
We would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data,” Air India said in a statement.

But how this data was leaked? Air India mistake?

The massive data leak was caused by a “sophisticated cyberattack” on Air India’s passenger service system provider SITA .
SITA is based out of Geneva in Switzerland.
“SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc servers.”
SITA offers back-end network services to a number of airlines and several of them sent similar notifications to their customers earlier this month.
The affected airlines included Lufthansa, Finnair, British Airways, Singapore Airlines, American Airlines and United, and involved close to 4.5 million records.

When Air India came to know about it?

The state-owned flight operator further noted that it had received the first notification related to the data breach from its data processor on February 25, 2021.
However, the identity of affected data subjects was provided on March 25 and May 4 , it added.
Air India said, while the level and scope of sophistication is being ascertained through forensic analysis and the exercise is ongoing,
SITA has confirmed that no unauthorised activity has been detected inside the system’s infrastructure after the incident.
Air India along with the service provider is carrying out risk assessment and would further update as and when it becomes available, it said.
The airline said it has taken following steps after the data security incident:
Secured the compromised servers, engaged external specialists of data security incidents, notified and in talk with the credit card issuers and reset the passwords of Air India frequent flyer programme.

Experts view

Cybersecurity experts said they were yet to see specifically Air India data being sold on dark web forums,
But added that since the hack did not include passwords, the data may instead be sold as a tranche of credit and debit card data.
Experts have separately said that sensitive person information like contact and passport data could potentially lead to-
Impersonation attacks and allow perpetrators to break into people’s bank accounts by using such data for verification .

Q) What’s the exact abbreviation of Malware?

Malfunctioned Software
Multipurpose Software
Malicious Software
Malfunctioning of Security

Latest Burning Issues | Free PDF

Sharing is caring!

Download your free content now!

To download , General Studies PDF, please fill the form.

Please fill valid Name, Phone and Email.

Congratulations!

We have received your details!

We'll share General Studies Study Material on your E-mail Id.

We have already received your details!

Incorrect details? Fill the form again here

General Studies PDF

Download Now

burning issues

Trending Events

BPSC 69th Admit Card 2023
BPSC 67th Mains Result

UPSC Online Coaching
UPSC Notification 2023
UPSC Syllabus 2023
UPSC EPFO Notification 2023
UPSC Prelims Syllabus
UPSC Mains Syllabus
UPSC Exam Pattern
UPSC Age Limit 2023
UPSC Calendar 2023
UPSC Syllabus in Hindi
UPSC Admit Card 2023
UPSC Full Form

CDS Exam 2023

CDS Notification 2023
CDS Syllabus
CDS Age Limit
CDS Eligibility
CDS Exam Pattern
CDS Previous Year Question Papers
CDS SSB Interview
CDS Admit Card

IMPORTANT EXAMS

Terms & Conditions
Return & Refund Policy
Privacy Policy

How IBM helps Wimbledon use generative AI to drive personalised fan engagement

This collaboration with Wimbledon teams extends beyond the fan-facing digital platform, into enterprise-wide transformation.

Authentication vs. authorization: What’s the difference?

6 min read - Authentication verifies a user’s identity, while authorization gives the user the right level of access to system resources.

Applying generative AI to revolutionize telco network operations

5 min read - Learn the many potential applications that operators and suppliers are capitalizing on to enhance network operations for telco.

Re-evaluating data management in the generative AI age

4 min read - A good place to start is refreshing the way organizations govern data, particularly as it pertains to its usage in generative AI solutions.

Top 7 risks to your identity security posture

5 min read - Identity misconfigurations and blind spots stand out as critical concerns that undermine an organization’s identity security posture.

June 27, 2024

IBM announces new AI assistant and feature innovations at Think 2024

June 26, 2024

A major upgrade to Db2® Warehouse on IBM Cloud®

June 25, 2024

Increase efficiency in asset lifecycle management with Maximo Application Suite’s new AI-power...

Achieving operational efficiency through Instana’s Intelligent Remediation

June 24, 2024

Manage the routing of your observability log and event data

Best practices for augmenting human intelligence with AI

2 min read - Enabling participation in the AI-driven economy to be underpinned by fairness, transparency, explainability, robustness and privacy.

Microcontrollers vs. microprocessors: What’s the difference?

6 min read - Microcontroller units (MCUs) and microprocessor units (MPUs) are two kinds of integrated circuits that, while similar in certain ways, are very different in many others.

Mastering budget control in the age of AI: Leveraging on-premises and cloud XaaS for success

2 min read - As organizations harness the power of AI while controlling costs, leveraging anything as a service (XaaS) models emerges as strategic.

Highlights by topic

Use IBM Watsonx’s AI or build your own machine learning models

Automate IT infrastructure management

Cloud-native software to secure resources and simplify compliance

Run code on real quantum systems using a full-stack SDK

Aggregate and analyze large datasets

Store, query and analyze structured data

Manage infrastructure, environments and deployments

Run workloads on hybrid cloud infrastructure

Responsible AI can revolutionize tax agencies to improve citizen services

Generative AI can revolutionize tax administration and drive toward a more personalized and ethical future.

Intesa Sanpaolo and IBM secure digital transactions with fully homomorphic encryption

6 min read - Explore how European bank Intesa Sanpaolo and IBM partnered to deliver secure digital transactions using fully homomorphic encryption.

What is AI risk management?

8 min read - AI risk management is the process of identifying, mitigating and addressing the potential risks associated with AI technologies.

How IBM and AWS are partnering to deliver the promise of responsible AI

4 min read - This partnership between IBM and Amazon SageMaker is poised to play a pivotal role in shaping responsible AI practices across industries

Speed, scale and trustworthy AI on IBM Z with Machine Learning for IBM z/OS v3.2

4 min read - Machine Learning for IBM® z/OS® is an AI platform made for IBM z/OS environments, combining data and transaction gravity with AI infusion.

The recipe for RAG: How cloud services enable generative AI outcomes across industries

4 min read - While the AI is the key component of the RAG framework, other “ingredients” such as PaaS solutions are integral to the mix

Rethink IT spend in the age of generative AI

3 min read - It's critical for organizations to consider frameworks like FinOps and TBM for visibility and accountability of all tech expenditure.

IBM Newsletters

IMAGES

Data Breach Case Study: Air India Airlines Cyberattack
Back-to-Back Air India Attacks Indicating More than Just a Data Breach
CASE STUDY of Air India
How did Air India Suffer a Massive data breach and Why should you be
How did Air India Suffer a Massive data breach and Why should you be
Critical Analysis of the Failure of Air India Limited

VIDEO

Equifax Data Breach Case Study By Rahul Jain (Capstone project)
Case Study About Air India flight 611. दीवार को तोडते हुए निकल गया प्लेन
Watch Air India’s Brand Track Come Alive
Did Air India fabricate safety reports? DGCA Flags Lapses In Air India’s Safety Audits #news
Case Study about Air India || क्या हुआ था Air India के साथ
Air India blames data processor company SITA PSS for massive data breach

COMMENTS

Data Breach Case Study: Air India Airlines Cyberattack
This cyberattack on Air India took the confidential data of its passengers who used Air India between August 26, 2011, and February 20, 2021. It happened on the SITA passenger service system and data of approximately 45 lakh passengers got compromised. It is being considered as one of the biggest data breaches in the airline industry.
Air India Data Breach: Hackers Access Personal Details Of 4.5 ...
NurPhoto via Getty Images. Air India has admitted to a massive data breach that compromised the personal data of about 4.5 million passengers. The breach, confirmation of which comes two months ...
Air India data breach
Air India's data processor, SITA which is a Swiss technology company known for offering passenger processing and reservation system services reported the data breach to Air India in around February 2021. [3] The data breach involved all information which was registered in the SITA data processor between 26 August 2011 and 20 February 2021.
Air India passenger data breach reveals SITA hack worse than first
The attack compromised data of passengers who had registered with the Indian airline over the past decade, between August 26, 2011 and February 3, 2021, Air India said in a statement. The ...
Air India Data Breach: A Legal Analysis
The past one year of pandemic has witnessed several cyber-attacks worldwide and India has been no different. India rather has been one of the worst hits of such Cyber Attacks. After one of the massive data breach incidents of MobiKwik, recently Air India announced that its servers were hacked leading to unethical access to their customer database. It further declared that approximately data of ...
How did Air India Suffer a Massive data breach and Why should you be
About the Air India Data breach. Air India has conveyed that the data of millions of passengers have been compromised due to a cyber attack and it involves the personal data of the passengers registered between 26 August 2011 and 20 February 2021. The airline has announced that the data breach had taken place due to a breach from the SITA ...
Air India data breach exposes India's cybersecurity deficiencies
According to IBM Security's annual Cost of Data Breach report, which covered 524 organizations globally, India reported the second most cyberattacks after Japan in the Asia Pacific region in 2020. With almost a 10% increase, the financial impact of these breaches was about INR 140 million. More than the financial loss, such violations can make ...
Air India data breach explained: Who is affected by the cyber attack?
In March, Air India had said that SITA had flagged a cyber-attack it was subjected to in the last week of February and said it led to the leak of personal data of some of the airline's passengers. In its notification to the affected passengers, the airline said that the cyber-attack that compromised the data of millions of passengers from ...
PDF Air India says data on 4.5 million passengers stolen
Air India announced in March that it had been informed in February by its data processing company, SITA PSS of a cyberattack. The breach involved personal data registered between August 2011 and February 2021, the airline said. SITA, which provides IT backup to much of the aviation industry, said
Air India data breach highlights concerns around third-party risk and
The Air India data breach is not a standalone incident. The cyber-attack on SITA's passenger service system affected Singapore Airlines, Lufthansa, Malaysia Airlines and Cathay Pacific as well.
Air India data breach impacts 4.5 million customers
02:48 PM. 0. Air India disclosed a data breach after personal information belonging to roughly 4.5 million of its customers was leaked two months following the hack of Passenger Service System ...
An analysis of the increasing cases of data breaches in india
This research examines the rise of data breaches in India and uses the Air India case study to demonstrate the possible attacks in an airline company's infrastructure and how easily the customers ...
Cyber-Attack on Air India Led to Data Leak of 4.5 Million Fliers
Hackers infiltrated the servers of Air India Ltd. and gained access to personal data of 4.5 million fliers, the nation's flag carrier said. Personal data of passengers registered between August ...
Air India Data Breach: 45 Lakh Affected In Massive Air India Data
Air India customers registered with the airline between 26th Aug 2011 and 3rd Feb 2021 were affected. Ten years' worth of Air India customer data including credit cards, passports and phone ...
Air India's Data Breach
The breach was discovered during a recent cybersecurity attack on the airline's third-party data processor, SITA PSS, which handles the storage and processing of passengers' personal information in the cloud. Air India has stated that it first received notice of the breach from its data processor on February 25, 2021.
Air India customers' data leaked in major cyber attack; credit card
The March 19 notification refers to a data breach alert issued by Air India where the airline said that its Passenger Service System was subject to a sophisticated cyber attack. The national ...
Air India server hacked; data of 4.5 million consumers compromised
Air India data breach: Personal info of 45 lakh people leaked due to 'cyberattack'. Personal details like passport, credit card and frequent flier data of about 4.5 million Air India consumers has been compromised after the airline's passenger system - managed by SITA - was hit by a cybersecurity attack in February this year, the airline said ...
Air India says February's data breach affected 4.5 mln passengers
Personal data of about 4.5 million passengers of Air India was leaked in a cyber attack on the airline's data processor but the compromised servers were later secured, the Indian state-run carrier ...
Air India Cyber-Attack: Massive data breach leaks personal details of
Air India, Source: ANI. Air India on May 21, 2021, reported a massive cyber-attack in February 2021 that leaked ten years of customer data including credit cards, phone numbers, and passports ...
Air India data breach: Login ids, passwords of airline's B2B customers
The airline has sent emails to its B2B customers stating the compromise of login user IDs and passwords of a limited number of B2B clients. This data compromise happened at Air India GST portal ...
Air India Data Breach
What has happened? The servers of Air Indiawere recently hacked, leading to the unethical access of personal information related to scores of passengers, the national carrier said in a statement issu
IBM Blog
Artificial intelligence June 27, 2024 Re-evaluating data management in the generative AI age. 4 min read - A good place to start is refreshing the way organizations govern data, particularly as it pertains to its usage in generative AI solutions.