National carrier Air India has been informing its customers about the data breach that took place in the last week of February 2021. The first announcement of the breach was made on March 19, 2021 on its website. Recently, the carrier has shared more details on the leak of 45 lakh data subjects or individuals with its customers.
The leaked data included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit card data.
The carrier stated the Passenger Service System provider was subject to “sophisticated cyber attack” which led to personal data leak of certain passengers. It sent out a communication to all those individuals whose data has been leaked.
It stated in the communications, “While we had received the first notification in this regard from our data processor on 25.02.2021, we would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25.03.2021 & 5.04.2021.”
In the letter to the customers Air India said, “The breach involved personal data registered between 26th August 2011 and 20th February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data. However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor.”
Some users took to the microblogging site to inform about the letter sent out by the carrier.
On March 19, the airline said while the level and scope of sophistication is being ascertained through forensic analysis and the exercise is ongoing, the service provider has confirmed that post incident, no unauthorised activity inside the PSS infrastructure has been detected. “Air India meanwhile is in liaison with various regulatory agencies in India and abroad, and has apprised them about the incident in accordance with its obligations. Air India along with the service provider is carrying out risk assessment and would further update as and when it becomes available,” it stated in its earlier communication.