We should have seen it coming. Air India started talking about a data breach back in March 2021, but with all the COVID upheaval and headlines, it floated by without comment. Last Friday Air India reported that it had suffered a massive data breach and malware attack
which exposed the credit card details of 4,500,000 passengers, among other data.
Air India reports that they have notified affected customers by email, and are looking into the attack, breach, and any other data which could be affected. They have been communicating with the public, but have also been less than forthcoming about the attack, with reports of the hack starting in both February or March. Let’s explore the Air India Data Breach.
Air India Hack & Attack Timeline
An Air India partner was breached early in 2021, with the SITA PSS data breach affecting the very systems which store and process passenger data.
The initial information from Air India only referenced a hacking attack, neglecting to mention any possible data breach. On March 25th and April 5, 2021 Air India became aware of the stolen customer data.
The stolen customer data was defined as customer credit card numbers and details, personal information like date of birth and passport information, contact information and frequent flier numbers.
A statement from Air India said, “This incident affected around 4,500,000 data subjects in the world. In respect of credit cards data, CVV/CVC numbers are not held by our data processor. Further, our data processor has ensured that no abnormal activity was observed after securing the compromised servers."
Global Data Protection Laws
The Geneva-based cyber security firm responsible for serving 90% of the world’s airlines have chosen not to reveal the data on the method or process of cyber-attack, as there is an ongoing investigation. We recently saw another example of hackers knowing no borders with the AXA hacking event
which affected Hong Kong, Thailand, Malaysia, the Philippines, Ireland and France…so far.
Data protection laws vary wildly from region to region, with the GDPR setting the bar high, and other regions trailing. Canada’s data protection laws are considered “adequate,” followed by the Americas, Australia, and the remainder of Europe, which are considered “authority and law(s). India is categorized as a “data protection law(s)” country – followed only by the “no specific law” category. Consumers, travellers and international business owners should be well aware of the specific data privacy laws in each region.
The Future of Air India
Air India was struggling before the attack, surviving on taxpayer money and a hope and a prayer. We have no doubt they are investigating the issue, but some wonder if the airline will survive this incident, or if it will go the way of Travelex.