India’s flag carrier Air India Ltd. has revealed that the personal data of some 4.5 million of its customers was stolen following an attack on airline information technology services company SITA in March.
The data stolen included passenger names, credit card details, dates of birth, contact information, ticket information and frequent-flyer data. The airline noted that passwords were not affected. The stolen data covers passengers who traveled with the airline between August 2011 and February this year.
Air India said in a recent statement reported over the weekend that it had taken measures since first becoming aware of the breach, including launching an investigation, securing compromised servers, engaging third-party specialists, notifying and liaising with credit card issuers, and resetting passwords of the Air India frequent flyer program.
SITA is a multinational information technology company that provides services to 400 members and 2,800 customers in the transport industry and claims to provide services to 90% of the world’s airline businesses. The attack was only described as a cyberattack with no details as to the form of the attack. TechCrunch reported at the time that airlines including Malaysia Airlines Berhad, Finnair Oyj, Singapore Airlines Ltd., Jeju Air Co. Ltd., Air New Zealand Ltd., Cathay Pacific Airways Ltd., Deutsche Lufthansa AG and United Airlines Inc. were all affected by the incident.
“Once again, cybercriminals are flying off with millions of personally identifiable data of airline passengers, just in time for summer travel,” Saryu Nayyar, chief executive officer of unified security and risk analytics company Gurucul Solutions Pvt Ltd. A.G., told SiliconANGLE. “The data stolen can be used in social engineering scams to steal even more from these victims.”
Rajiv Pimplaskar, chief revenue officer at authentication platform provider Veridium Ltd., noted that although the exact cause of the SITA data breach is not yet known, it is clear that loyalty accounts, such as frequent flier or hotel rewards programs are prime targets for credential theft since they contain rich personally identifiable information.
“Further, loyalty accounts have less stringent rules around password resets or reuse as compared to financial services accounts employing multifactor authentication methods thereby making it easier for credential harvesting and lateral movement,” Pimplaskar added. “Airlines and the hospitality industry need to accelerate their adoption of passwordless technologies such as ‘phone as a token’ or FIDO2 security keys that eliminate this dependence on credentials.”
Photo: Masakatus Ukon/Wikimedia Commons
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
.jpg){kind=link}