National carrier Air India has been informing its customers about the data breach that took place in the last week of February 2021. The first announcement of the breach was made on March 19, 2021, on its website. Recently, the carrier has shared more details on the leak of 45 lakh data subjects or individuals with its customers.
What information was hacked?
As per Air India's statement, the breach involved personal data registered between August 26, 2011, and February 3, 2021, with details that included name, date of birth, contact information, passport information and ticket information.
It also included Star Alliance, Air India frequent flyer data and credit card information. No password data was affected. CVV/CVC numbers were not held by the data processor that reported the breach.
Who exactly has been affected?
The carrier stated the Passenger Service System provider was subject to a “sophisticated cyber-attack” which led to the personal data leak of certain passengers. It sent out a communication to all those individuals whose data has been leaked.
It stated in the communications, “While we had received the first notification in this regard from our data processor on 25.02.2021, we would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25.03.2021 & 5.04.2021.”
In the letter to the customers, Air India said, “The breach involved personal data registered between 26th August 2011 and 20th February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data. However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor.”
The timeline
The first notification was the breach was notified on February 25, Air India said, adding that the identity of the affected data subjects was only provided to them by their data processor on March 25 and April 5.
"The present communication is an effort to apprise of accurate state of facts as on date and to supplement our general announcement of 19th March 2021 initially made via our website," they said.
It further informed that several measures to ensure the safety of the data including investigating the data security incident, securing the compromised servers, engaging external specialists of data security incidents and notifying and liaising with the credit card issuers, were taken.
The airline has also reset passwords of the Air India FFP program, and requested passengers to change passwords wherever applicable to ensure safety of their personal data.
"Our data processor has ensured that no abnormal activity was observed after securing the compromised servers. While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure the safety of their personal data," it said.
It added, "The protection of our customer's personal data is of the highest importance to us and we deeply regret the inconvenience caused and appreciate continued support and trust of our passengers."
(With inputs from agencies)
