Air India SITA passenger data breach
A supply-chain compromise of aviation IT provider SITA exposed roughly 4.5 million Air India passengers' names, passport details, ticket data, frequent-flyer numbers, and payment card information collected over nearly a decade of bookings.
- Victim
- Air India
- records
- 4.5M
- users
- 4.5M
On 21 May 2021, Air India notified its customers that a breach of its passenger-services IT provider had exposed personal data for approximately 4.5 million passengers worldwide. The intrusion did not occur in Air India's own systems — it was a supply-chain compromise of SITA, the Geneva-based company whose Passenger Service System (PSS) underpins reservations for much of the global airline industry.
What happened
SITA detected unauthorized access to its Passenger Service System infrastructure on 25 February 2021 and disclosed the incident publicly on 4 March 2021. Because SITA's PSS is shared across the Star Alliance and OneWorld ecosystems, the breach cascaded to at least ten carriers, including Singapore Airlines, Malaysia Airlines, Cathay Pacific, Finnair, Jeju Air, Lufthansa, Air New Zealand, Scandinavian Airlines, and Polish Airlines.
Air India, a Star Alliance member, was among the most heavily affected. SITA delivered the list of impacted Air India data subjects on 25 March and 5 April 2021, after which the airline investigated and disclosed the scope to the public in May.
Impact
- Roughly 4.5 million passengers had data exposed.
- The compromised records covered bookings made between 26 August 2011 and 3 February 2021 — nearly ten years of customer history.
- Exposed fields included names, dates of birth, contact information, passport details, ticket information, Star Alliance and Air India frequent-flyer data, and payment card data.
- Crucially, CVV/CVC card-verification values and account passwords were not stored in the affected system and were not exposed.
Air India advised affected travellers to change the password on its portal and to be alert for fraud. It also reset the passwords of its frequent-flyer programme members as a precaution.
Why it matters
The SITA breach is a textbook illustration of concentration risk in shared aviation IT. Because a single vendor processes reservations for dozens of the world's largest airlines, one compromise simultaneously exposed passengers across multiple continents and alliances. For India specifically, it remains one of the largest exposures of citizens' passport-linked travel data, occurring as the country debated its Personal Data Protection framework. The incident reinforced that an organisation's data-protection posture is only as strong as that of the third parties to which it outsources core processing — a lesson that drove tighter vendor-risk and breach-notification expectations across the aviation sector.
Timeline
SITA, the Geneva-based aviation IT provider, first detects unauthorized access to its Passenger Service System (PSS) infrastructure.
SITA publicly discloses the breach of its PSS, affecting multiple Star Alliance and OneWorld carriers worldwide.
SITA provides Air India with the identity of the affected data subjects; a second batch follows on 5 April.
Air India publicly notifies customers that roughly 4.5 million passenger records were compromised in the SITA incident.
Air India issues an updated disclosure confirming the data spanned bookings between 26 August 2011 and 3 February 2021.
Sources
- therecord.mediahttps://therecord.media/air-india-says-data-breach-impacts-4-5-million-former-passengers
- techcrunch.comhttps://techcrunch.com/2021/05/23/air-india-passenger-data-breach-reveals-sita-hack-worse-than-first-thought
- securityaffairs.comhttps://securityaffairs.com/118162/data-breach/air-india-data-breach.html
- bbc.comhttps://www.bbc.com/news/world-asia-india-57210118