Air India's passenger
service system provider SITA faced a sophisticated cyberattack in February this
year leading to leak of personal data of 4.5 million passengers -- which
included passengers of the national carrier -- from across the world, an
official statement said on Friday.
Personal data
-- including name, date of birth, contact information, passport information,
ticket information and credit card data -- which was registered between August
11, 2011, and February 3, 2021, has been leaked of a certain number of Air
India's passengers, the statement issued by the airline said.
"While we and our data
processor continue to take remedial actions...We would also encourage
passengers to change passwords wherever applicable to ensure safety of their
personal data," it said.
Data of 4.5
million passengers -- which includes Air India's passengers -- across the world
has been "affected" due to the cyberattack on SITA, the statement
said.
SITA is based out of Geneva
in Switzerland.
"Air India would like
to inform its valued customers that its passenger service system provider has
informed about a sophisticated cyber attack it was subjected to in the last
week of February 2021," the airline said.
While the level and scope
of sophistication is being ascertained through forensic analysis and the
exercise is ongoing, SITA has confirmed that no unauthorised activity has been
detected inside the system's infrastructure after the incident, it added.
"Air India meanwhile
is in liaison with various regulatory agencies in India and abroad, and has apprised
them about the incident in accordance with its obligations," the airline
said.
However, with respect to
credit cards' data, CVV/CVC numbers are not held by SITA, the airline
clarified.
It said that the identity
of its affected passengers was provided to it by SITA on March 25 and April 5
only.
Air India along with the
service provider is carrying out risk assessment and would further update as
and when it becomes available, it said.
The airline said it has
taken following steps after the data security incident: Secured the compromised
servers, engaged external specialists of data security incidents, notified and
in talk with the credit card issuers and reset the passwords of Air India
frequent flyer programme.