On March 19th 2021, Air India released a press report that their Passenger Service System, SITA PSS( a multinational information technology company providing IT and telecommunication services to the air transport industry), have fallen victim to a sophisticated cyber-attack. Further news reports also revealed that Air India wasn’t the only Passenger Airlines that was affected by the Incident but rather several other Passenger Airlines including Thai Airlines, Air New Zealand, Singapore Airlines, Scandinavian Airlines (SAS), Cathay Pacific, Jeju Air, Malyasia Airlines, Air China, Swiss and Air Canada, Lufthansa and Finnair, as the incident attacked the airlines who were a part of the Star Alliance Network, which is essentially the client of SITA PSS. While the complete extent of the Leak i.e. which Data of which the Airline is leaked, is still under investigation by SITA, AIR INDIA has released another press release highlighting the complete extent of the incident, which has affected them.
What does the Second Press Release state?
The Second press release which acts as a continuation of the first one, which released on 19th March, the Cybersecurity incident has affected around 45 Lakh Data Subjects around the world. The breach that affected that their Data Processor’s network, compromised the personal data of consumers of Air India and Flyers using the Star Alliance network between 26th August 2011 and 3rd February 2021. This ‘personal data’ includes Name, Date of Birth, Contact Information, Passport Information, Ticket information, Star Alliance and Air India frequent Flyer data and Credit Card Information of the Flyer/customer or the ‘Data Subject’. The airline has hoverer, categorically clarified that certain ‘sensitive personal information’ such as Passwords of accounts and CVV/CVC of credit cards was not shared with the Data Processor and hence is not affected. The press release also included the measures the Airline has taken to contain and mitigate the issue since February which included:
- Investigating the data security incident;
- Securing the compromised servers;
- Engaging external specialists of data security incidents;
- Notifying and liaising with the credit card issuers;
- Resetting passwords of Air India FFP program.
What should one do after this incident?
While the press release states that adequate measures have been taken to change all the passwords and people, who could have been affected, have been adequately informed, it is advised to all the individuals who have ever flown with Air India between August 2011 and February 2021 or for that matter have ever flown with the Airline should take the following measures
- Change the Passwords of the Email Addresses given to the Airline and Enable two factor Authentication on said Email Ids.
- Disable all transactions on one’s credit card by calling up the bank or going through the Bank’s IVR or through the Banks App, until one requests and receives a replacement for the same (provided one has used this credit card for collecting frequent flyer points or made transactions for booking the ticket from the Airline or any other third party service provider/agent , or made transactions from this card at the airport for using the lounge or making any other payment to the Airline).
- One should consider of doing the steps 1 and 2 even if they haven’t flown with Air India but have flown with any other Carrier who is a member of Star Alliance as the incident has affected the entire Star Alliance network.
What happens to Air India and SITA PSS after Incident
The press release refers SITA PSS as Air India’s Data processor and the customers of Air India as Data Subjects which hints towards the fact that Air India and SITA PSS had to comply with the rules of GDPR, probably because of being a part of the Star alliance network and serving European Customers as well. This would further mean that AIR India and SITA PSS possibly entered into a ‘Data Processor Agreement’ as well and hence could possible face litigations for Data Breach as per GDPR, if any lapse is found from either sides after the investigation.