India’s flag carrier Air India Ltd. has revealed that the personal data of some 4.5 million of its customers was stolen following an attack on airline information technology services company SITA in March.

The data stolen included passenger names, credit card details, dates of birth, contact information, ticket information and frequent-flyer data. The airline noted that passwords were not affected. The stolen data covers passengers who traveled with the airline between August 2011 and February this year.

Air India said in a recent statement reported over the weekend that it had taken measures since first becoming aware of the breach, including launching an investigation, securing compromised servers, engaging third-party specialists, notifying and liaising with credit card issuers, and resetting passwords of the Air India frequent flyer program.

SITA is a multinational information technology company that provides services to 400 members and 2,800 customers in the transport industry and claims to provide services to 90% of the world’s airline businesses. The attack was only described as a cyberattack with no details as to the form of the attack. TechCrunch reported at the time that airlines including Malaysia Airlines Berhad, Finnair Oyj, Singapore Airlines Ltd., Jeju Air Co. Ltd., Air New Zealand Ltd., Cathay Pacific Airways Ltd., Deutsche Lufthansa AG and United Airlines Inc. were all affected by the incident.

“Once again, cybercriminals are flying off with millions of personally identifiable data of airline passengers, just in time for summer travel,” Saryu Nayyar, chief executive officer of unified security and risk analytics company Gurucul Solutions Pvt Ltd. A.G., told SiliconANGLE. “The data stolen can be used in social engineering scams to steal even more from these victims.”

Rajiv Pimplaskar, chief revenue officer at authentication platform provider Veridium Ltd., noted that although the exact cause of the SITA data breach is not yet known, it is clear that loyalty accounts, such as frequent flier or hotel rewards programs are prime targets for credential theft since they contain rich personally identifiable information.

“Further, loyalty accounts have less stringent rules around password resets or reuse as compared to financial services accounts employing multifactor authentication methods thereby making it easier for credential harvesting and lateral movement,” Pimplaskar added. “Airlines and the hospitality industry need to accelerate their adoption of passwordless technologies such as ‘phone as a token’ or FIDO2 security keys that eliminate this dependence on credentials.”

Photo: Masakatus Ukon/Wikimedia Commons