Air India Data Breach: Credit Card Information Leaked, Should Affected Customers Replace their Cards?

Air India data breach is likely to have impacted as many as 45 lakh Air India customers, according to a statement issued by the carrier. This incident came to light after Air India’s SITA PSS, the data processor of the passenger service system, which is responsible for storing and processing of personal information of the passengers, had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers.

The airline received the first notification in this regard from its SITA PSS data processor on 25 February 2021, and the identity of the affected data subjects was provided by the data processor on 25 March 2021 and 5 April 2021. “The present communication is an effort to apprise of accurate state of facts as on date and to supplement our general announcement of 19th March 2021 initially made via our website,” said Air India.

What Information has been Leaked in the Air India Data Breach

The Air India data breach involves the personal information of passengers that has been registered from 26 August 2011 and 3 February 2021. The passenger details that have been leaked are as follows:

• Date of birth.
• Contact information – Including email and phone numbers.
• Passport information.
• Ticket information.
• Star Alliance and Air India frequent flyer data. However, the airline claims that passwords have not been affected.
• Credit cards.

Should Customers Affected in Air India Data Breach Replace their Cards?

Although the airline maintains that CVV/CVC numbers are not held by its data processor, experts are of the view that affected passengers must replace their cards. “One should now surely replace their credit or debit card and more so if you have been a customer of both Air India and Dominos,” says Ritesh Bhatia, Cyber Crime Investigator, and founder and director, V4WEB Cybersecurity.

Furthermore, Air India has also added in its official statement that while their data processor continues to take remedial actions, passengers must change passwords wherever applicable to ensure the safety of their personal data.

Action Taken by Air India in this Regard

While “deeply regretting the inconvenience caused”, the airline says that that the following measures to ensure the safety of the data were immediately taken:

• Investigating the data security incident.
• Securing the compromised servers.
• Engaging external specialists of data security incidents.
• Notifying and liaising with the credit card issuers.
• Resetting passwords of Air India FFP program.