Air India on Friday said that it has suffered a massive data breach, resulting from an attack on its servers by unknown hackers. Air India had talked about the hacking attack earlier in March, but the company says that it is only now when it has been able to ascertain that data of some 4500000 fliers has been leaked. This leaked data includes credit card details but according to Air India not the CVV or CVC number as well personal details like date of birth.
Air India says that it is sending an email to affected consumers. The company says that it is also investigating the whole incident, the hacker attack as well as data breach, further.
Here is what we know about the Air India hacking attack and the data breach.
According to Air India, servers of its partner who processes passenger data were hacked earlier this year. These servers belong to the SITA PSS system that stores and processes passenger data. In other words, when you book a ticket with Air India, the data related to it is stored on the SITA PSS system.
The SITA PSS systems were hacked earlier, though Air India does not specify when that happened. However, it says that it received information from the data processor on February 25 about the hacking attack. Subsequently in March, Air India said that some of its servers have been hacked.
The company says that initially it wasn't known that there was also a data breach due to the hacking attack. But on March 25 and on April 5 it was informed by the data processor that private and sensitive details of nearly 4500000 passengers had been leaked in the hacking attack.
The leaked information includes credit card number and other credit card details, date of birth, ticket number, passport information, contact numbers, and even frequent flier number and the Star Alliance details. But, and so says Air India, the CVV or CVC numbers of credit cards or PIN details have not been leaked because these details Air India does not store.
Air India says that passengers who have been affected by the data breach took a flight with it between August 26, 2011 to February 20, 2021. This also means that the hacking attack on SITA PSS servers happened between February 20 and February 25.
Air India says that it is sending emails to affected customers, telling them the details of the hacking attack. Irrespective of whether you get an email from Air India or not, ideally you should change your password if you have an account with Air India.
Air India says that after the hack, its IT support moved quickly to re-secure the servers. It says that it has not noticed anything abnormal or strange with the affected servers after they were rescued.
In its statement, Air India says: "This incident affected around 4,500,000 data subjects in the world. In respect of credit cards data,CVV/CVC numbers are not held by our data processor. Further, our data processor has ensured that no abnormal activity was observed after securing the compromised servers."
The leak of Air India data is one more high-profile data breach that has taken place in India this year. Earlier, there was some data belonging to Airtel users that was floating on the web. Then There was a data leak from Big Basket, something that also reportedly affected some Flipkart users because the passwords and IDs were kept common by users.
One difference between other data breaches and the one that Air India has suffered is that at least Air India is informing customers, even if it is doing so in a limited way. But given that India lacks a proper Data Protection Law as well as a lax regulatory requirements when it comes to data handling, most companies don't even bother to go public or inform their customers when they suffer data breach.