4.5 Million Passengers’ Data Stolen In Air India Cyber Attack

BACKGROUND:

Air India has disclosed that the data of around 4.5 million of its passengers was stolen following a cyber attack on  global aviation industry IT supplier SITA three months ago, in a statement by the airline. The breach involved personal data spanning almost 10 years, from 26 August 2011 to 3 February 2021, including name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, and credit card data. No frequent flyer passwords or CVV/CVC data were stolen, however, as this information was not held by SITA. While the SITA cyber attack was first discovered at the end of February, Air India said it only understood the severity of the cyber attack last month. When the cyber attack was disclosed, SITA said Star Alliance and One World airlines were affected. Alongside Air India, this included Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, Air New Zealand, Cathay Pacific, and Singapore Airlines.

Experts Comments

May 24, 2021
David Sygula
Senior Cybersecurity Analyst
CybelAngel

The Air India incident is further proof that addressing data breaches that occur outside the corporate firewall is vital to managing your third-party risk. As more organizations turn to cloud providers for everything from infrastructure to apps to support employees, save money, and enable digital transformation, they are expanding their attack surface exponentially. 

 

Organisations must constantly scan for leaked documents outside the enterprise perimeter, including connected storage, open

.....Read More

The Air India incident is further proof that addressing data breaches that occur outside the corporate firewall is vital to managing your third-party risk. As more organizations turn to cloud providers for everything from infrastructure to apps to support employees, save money, and enable digital transformation, they are expanding their attack surface exponentially. 

 

Organisations must constantly scan for leaked documents outside the enterprise perimeter, including connected storage, open databases, cloud applications, and the Dark Web to uncover confidential and sensitive data quickly, before it is exploited. 

 

The legal and regulatory consequences of leaked data often include fines, penalties, and damage to reputation, which drives up customer acquisition costs and decreases lifetime customer value. Similarly, shareholder value can take years to recover, if ever”.

  Read Less
May 25, 2021
Steven Hope
CEO and co-founder
Authlogics

Air India have said that no “passwords data was affected” (http://www.airindia.in/images/pdf/Data-Breach-Notification.pdf). It is interesting that they make the point not once, but twice, that users should change their passwords. One has to wonder if there are any security measures in place to ensure that people are choosing a new password that hasn’t already been compromised. It is very common for people to reuse passwords and if their “new” password has already been compromised

.....Read More

Air India have said that no “passwords data was affected” (http://www.airindia.in/images/pdf/Data-Breach-Notification.pdf). It is interesting that they make the point not once, but twice, that users should change their passwords. One has to wonder if there are any security measures in place to ensure that people are choosing a new password that hasn’t already been compromised. It is very common for people to reuse passwords and if their “new” password has already been compromised elsewhere, it undermines the point of making the change. We see the password sharing pattern in breach data all the time where people use the same password on multiple web sites, including at their workplace.

  Read Less
May 25, 2021
Steven Hope
CEO and co-founder
Authlogics

Air India have said that no “passwords data was affected” (http://www.airindia.in/images/pdf/Data-Breach-Notification.pdf). It is interesting that they make the point not once, but twice, that users should change their passwords. One has to wonder if there are any security measures in place to ensure that people are choosing a new password that hasn’t already been compromised. It is very common for people to reuse passwords and if their “new” password has already been compromised

.....Read More

Air India have said that no “passwords data was affected” (http://www.airindia.in/images/pdf/Data-Breach-Notification.pdf). It is interesting that they make the point not once, but twice, that users should change their passwords. One has to wonder if there are any security measures in place to ensure that people are choosing a new password that hasn’t already been compromised. It is very common for people to reuse passwords and if their “new” password has already been compromised elsewhere, it undermines the point of making the change. We see the password sharing pattern in breach data all the time where people use the same password on multiple web sites, including at their workplace.

  Read Less
May 25, 2021
Rajiv Pimplaskar
CEO
Dispersive Holdings, Inc.

While the exact cause of the SITA data breach is not yet known, it is clear that loyalty accounts, such as frequent flier or hotel rewards programs are prime targets or “honeypots" for credential theft since they contain rich Personally Identifiable Information (PII). Further, loyalty accounts have less stringent rules around password resets or reuse as compared to financial services accounts employing multi factor authentication (MFA) methods thereby making it easier for credential

.....Read More

While the exact cause of the SITA data breach is not yet known, it is clear that loyalty accounts, such as frequent flier or hotel rewards programs are prime targets or “honeypots" for credential theft since they contain rich Personally Identifiable Information (PII). Further, loyalty accounts have less stringent rules around password resets or reuse as compared to financial services accounts employing multi factor authentication (MFA) methods thereby making it easier for credential harvesting and lateral movement. 

 

Verizon’s Data Breach Investigations Report (DBIR) indicates that over 80% of data breaches use compromised credentials. Airlines and the hospitality industry need to accelerate their adoption of passwordless technologies such as “phone as a token” or FIDO2 security keys that eliminate this dependence on credentials. Passwordless authentication can reduce the attack surface of such breaches as well as limit the resulting data exposure. Finally, such authenticators have less friction and can be adopted by both employees and customers improving user experience and productivity.

  Read Less
May 25, 2021
Saryu Nayyar
CEO
Gurucul

Once again, cybercriminals are flying off with millions of personally identifiable data of airline passengers, just in time for summer travel. The data stolen can be used in social engineering scams to steal even more from these victims. The breach of third party IT Supplier to Air India, SITA, is to blame for this incident and numerous other breaches as SITA services 90% of the world’s airlines. I liken this to the Takata air bag recall in that most car manufacturers rely on Takata for their

.....Read More

Once again, cybercriminals are flying off with millions of personally identifiable data of airline passengers, just in time for summer travel. The data stolen can be used in social engineering scams to steal even more from these victims. The breach of third party IT Supplier to Air India, SITA, is to blame for this incident and numerous other breaches as SITA services 90% of the world’s airlines. I liken this to the Takata air bag recall in that most car manufacturers rely on Takata for their air bags. And most airlines rely on SITA for airport, border and aircraft operations. It’s overwhelming to realize a single supplier can take down an entire industry…  no one ever heard of SITA or Takata before these incidents. And now we’ll never forget them.

  Read Less
May 24, 2021
Trevor Morgan
Product Manager
comforte AG

Attackers often target central airline management systems. They present attractive targets because passenger data persists for booking management purposes over long periods of time. Passenger data is quite sensitive, too, including financial data, identity information, reservations, passports, and travel history data. Penetrating one of these systems presents a gold mine of information for attackers to hold hostage or sell.

 

By its very nature, travel data is global and therefore falls under a

.....Read More

Attackers often target central airline management systems. They present attractive targets because passenger data persists for booking management purposes over long periods of time. Passenger data is quite sensitive, too, including financial data, identity information, reservations, passports, and travel history data. Penetrating one of these systems presents a gold mine of information for attackers to hold hostage or sell.

 

By its very nature, travel data is global and therefore falls under a myriad of privacy and data security regulations from GDPR to CCPA and beyond. Airline and travel companies need to get the message that they have an ethical responsibility and a legal mandate to do everything they can to protect passenger information. Bare minimum data protection just won’t do. This data, especially, should always be protected with data-centric methods such as modern data tokenization or format-preserving encryption technology. These methods protect the data itself rather than the perimeters around or access to it. By obfuscating the sensitive parts of data with benign tokens, tokenization deters attackers from leveraging any data they steal.

 

As we can see with the SITA incident and its effect on Air India, passenger data is vulnerable to compromise and should be tokenized at first touch to head off any detrimental effects if it falling into the wrong hands. That way, no matter where the passenger—or the data—travels, the data remains secure.

  Read Less
May 24, 2021
Javvad Malik
Security Awareness Advocate
KnowBe4

Many security breaches occur, and in most cases, people are understanding when they do occur. However, there is an expectation that once a breach does occur, that a thorough investigation will be conducted quickly and all affected parties notified.

 

If new details only come to light months after the breach, it raises some questions around what level of monitoring and auditing was in place and how the breach was investigated.

 

Having threat detection and incident response controls and

.....Read More

Many security breaches occur, and in most cases, people are understanding when they do occur. However, there is an expectation that once a breach does occur, that a thorough investigation will be conducted quickly and all affected parties notified.

 

If new details only come to light months after the breach, it raises some questions around what level of monitoring and auditing was in place and how the breach was investigated.

 

Having threat detection and incident response controls and procedures in place isn't a nice to have, it's an essential part of every organisation. The lack of these controls becomes very apparent in the aftermath of an incident and can cause significant reputational damage to organisations.

  Read Less
May 24, 2021
Martin Jartelius
CSO
Outpost24

An airline company is breached. There is a lot of data and also payment details obtained. This puts a target on your back, as an industry. The reason airlines are a good target as such is lots of personal data, detailed and sensitive personal data, and processing of payment details in archaic systems. If the security amongst these businesses compared to others is worse that’s open for discussion, my reflection is that these are neither worse nor better, I have not tested an airline booking or

.....Read More

An airline company is breached. There is a lot of data and also payment details obtained. This puts a target on your back, as an industry. The reason airlines are a good target as such is lots of personal data, detailed and sensitive personal data, and processing of payment details in archaic systems. If the security amongst these businesses compared to others is worse that’s open for discussion, my reflection is that these are neither worse nor better, I have not tested an airline booking or awards program that did not have its flaws but that goes for almost any complex system we attempt to breach. On the request of the companies themselves of course.

 

That being said, it is to be kept in mind that airlines in general have massive digital footprints, making it hard to properly secure their data. With 24/7 business operations, client demands for innovation and an ever growing IT infrastructure. It is a constant battle for airlines and their IT (security) teams to cope. Is it impossible to adequately secure? No, but it is a challenge. It is about knowing where to focus and part of that is of risk acceptance. When in doubt, ask for help, but as an airline you cannot permit to stand idly by.

  Read Less
May 24, 2021
Jake Moore
Cybersecurity Specialist
ESET

The wake of a cyber attack is a painstaking time of not only picking up the pieces, but also putting them all back together again. This can take time, and it is also important to learn from the attack at this stage, as well juggling the PR and other issues such as data loss. However, when data is compromised, it is absolutely vital that those affected are made aware at the earliest opportunity. The knock-on effects from breached customer data can have a significant impact on those who are

.....Read More

The wake of a cyber attack is a painstaking time of not only picking up the pieces, but also putting them all back together again. This can take time, and it is also important to learn from the attack at this stage, as well juggling the PR and other issues such as data loss. However, when data is compromised, it is absolutely vital that those affected are made aware at the earliest opportunity. The knock-on effects from breached customer data can have a significant impact on those who are targeted by identity theft or further account compromise, especially when financial data is stolen too.

 

Furthermore, due to the time it can take for companies to learn that they have been attacked – which can clearly span up to a decade – it is important for everyone to be mindful of their data and keep a tab on their privacy and financial situations. Simply checking bank accounts daily can help detect and mitigate targeted attacks on victims of data theft.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.