BACKGROUND:
Air India has disclosed that the data of around 4.5 million of its passengers was stolen following a cyber attack on global aviation industry IT supplier SITA three months ago, in a statement by the airline. The breach involved personal data spanning almost 10 years, from 26 August 2011 to 3 February 2021, including name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, and credit card data. No frequent flyer passwords or CVV/CVC data were stolen, however, as this information was not held by SITA. While the SITA cyber attack was first discovered at the end of February, Air India said it only understood the severity of the cyber attack last month. When the cyber attack was disclosed, SITA said Star Alliance and One World airlines were affected. Alongside Air India, this included Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, Air New Zealand, Cathay Pacific, and Singapore Airlines.
<p>Air India have said that no “passwords data was affected” (<a href=\"http://www.airindia.in/images/pdf/Data-Breach-Notification.pdf\" target=\"_blank\" rel=\"noopener noreferrer\" data-saferedirecturl=\"https://www.google.com/url?q=http://www.airindia.in/images/pdf/Data-Breach-Notification.pdf&source=gmail&ust=1622028125521000&usg=AFQjCNHquD6rwkFa3RTX7KonQILXYPvbtA\">http://www.airindia.in/<wbr />images/pdf/Data-Breach-<wbr />Notification.pdf</a>). It is interesting that they make the point not once, but twice, that users should change their passwords. One has to wonder if there are any security measures in place to ensure that people are choosing a new password that hasn’t already been compromised. It is very common for people to reuse passwords and if their “new” password has already been compromised elsewhere, it undermines the point of making the change. We see the password sharing pattern in breach data all the time where people use the same password on multiple web sites, including at their workplace.</p>
<p>Air India have said that no “passwords data was affected” (<a href=\"http://www.airindia.in/images/pdf/Data-Breach-Notification.pdf\" target=\"_blank\" rel=\"noopener noreferrer\" data-saferedirecturl=\"https://www.google.com/url?q=http://www.airindia.in/images/pdf/Data-Breach-Notification.pdf&source=gmail&ust=1622028125521000&usg=AFQjCNHquD6rwkFa3RTX7KonQILXYPvbtA\">http://www.airindia.in/<wbr />images/pdf/Data-Breach-<wbr />Notification.pdf</a>). It is interesting that they make the point not once, but twice, that users should change their passwords. One has to wonder if there are any security measures in place to ensure that people are choosing a new password that hasn’t already been compromised. It is very common for people to reuse passwords and if their “new” password has already been compromised elsewhere, it undermines the point of making the change. We see the password sharing pattern in breach data all the time where people use the same password on multiple web sites, including at their workplace.</p>
<p>While the exact cause of the SITA data breach is not yet known, it is clear that loyalty accounts, such as frequent flier or hotel rewards programs are prime targets or “honeypots\" for credential theft since they contain rich Personally Identifiable Information (PII). Further, loyalty accounts have less stringent rules around password resets or reuse as compared to financial services accounts employing multi factor authentication (MFA) methods thereby making it easier for credential harvesting and lateral movement. </p> <p> </p> <p>Verizon’s Data Breach Investigations Report (DBIR) indicates that over 80% of data breaches use compromised credentials. Airlines and the hospitality industry need to accelerate their adoption of passwordless technologies such as “phone as a token” or FIDO2 security keys that eliminate this dependence on credentials. Passwordless authentication can reduce the attack surface of such breaches as well as limit the resulting data exposure. Finally, such authenticators have less friction and can be adopted by both employees and customers improving user experience and productivity.</p>
<p>Once again, cybercriminals are flying off with millions of personally identifiable data of airline passengers, just in time for summer travel. The data stolen can be used in social engineering scams to steal even more from these victims. The breach of third party IT Supplier to Air India, SITA, is to blame for this incident and numerous other breaches as SITA services 90% of the world’s airlines. I liken this to the Takata air bag recall in that most car manufacturers rely on Takata for their air bags. And most airlines rely on SITA for airport, border and aircraft operations. It’s overwhelming to realize a single supplier can take down an entire industry… no one ever heard of SITA or Takata before these incidents. And now we’ll never forget them.</p>
<p>Attackers often target central airline management systems. They present attractive targets because passenger data persists for booking management purposes over long periods of time. Passenger data is quite sensitive, too, including financial data, identity information, reservations, passports, and travel history data. Penetrating one of these systems presents a gold mine of information for attackers to hold hostage or sell.</p> <p> </p> <p>By its very nature, travel data is global and therefore falls under a myriad of privacy and data security regulations from GDPR to CCPA and beyond. Airline and travel companies need to get the message that they have an ethical responsibility and a legal mandate to do everything they can to protect passenger information. Bare minimum data protection just won’t do. This data, especially, should always be protected with data-centric methods such as modern data tokenization or format-preserving encryption technology. These methods protect the data itself rather than the perimeters around or access to it. By obfuscating the sensitive parts of data with benign tokens, tokenization deters attackers from leveraging any data they steal.</p> <p> </p> <p>As we can see with the SITA incident and its effect on Air India, passenger data is vulnerable to compromise and should be tokenized at first touch to head off any detrimental effects if it falling into the wrong hands. That way, no matter where the passenger—or the data—travels, the data remains secure.</p>