Ten years’ worth of Air India customer data including credit cards, passport details and phone numbers of 45 lakh customers have been leaked in a massive cyber-attack on its data processor in February, the airline has announced.
The data was leaked between 26th August 2011 and 3rd February 2021, Air India said, disclosing the scale of the breach nearly three months after it was first informed of it.
“Our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world,” the statement issued by Air India said.
However, the airline company clarified that the CVV/CVC numbers – which are key to execute transactions – were not held by its data processor. “The breach involved personal data registered between 26th August 2011 and 20th February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit card data. However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor,” Air India stated.
Air India said that it first received the notification related to the data breach from its data processor on February 25, 2021. However, the identity of affected data subjects was provided on March 25 and May 4, it added.
It also noted that it is following measures to ensure safety of data, and has begun investigating the data security incident. The airline is also securing compromised servers, engaging external specialists of data security incidents, notifying and liaising with credit card issuers and resetting passwords of Air India frequent flyer programme.