The data breach occurred at an Air India service provider’s facility and led to the personal details of 4.5 million customers being compromised.
The Ministry of Civil Aviation informed the Parliament that Air India is still in the process of intimating passengers months after a cyber-attack was perpetrated in the last week of February. Earlier in July, two journalists had sent a legal notice to Air India seeking compensation for damages suffered due to the data breach.
Terming the incident as a ‘cyber-attack’, Minister of State for Civil Aviation, Gen (retd) V K Singh said, “However, Air India currently is discharging its obligations such as intimating passengers, intimating the Data Protection Authorities (DPAs), replying to the queries of DPAs in coordination with SITA.”
No further information was provided about which DPAs were referred to by the minister. The Personal Data Protection Bill 2019, which might be tabled in the Winter Session of Parliament, has proposed the establishment of a data regulator — The Data Protection Authority of India (DPA), which will be entrusted with the “duty to protect the interests of the data principals, prevent any misuse of personal data, ensure compliance with the provisions of the Act and promote about data protection.”
Why it matters? Cyber crimes have been on the rise ever since the COVID-19 pandemic began, due to an increased reliance on digital tools and the internet. According to a study by software firm Micro Focus, Indian organisations have experienced a 58% increase in cyber-security challenges over the last few months, while there was a 51% increase in the challenge to investigate or remediate incidents. Around 98% of Indian organisations are short-staffed when it comes to security, the study said.
Singh informed that the data breach occurred at the facility of SITA, the provider of Passenger Services System (PSS) for Air India. SITA discovered this breach on February 8, when they observed some anomaly in their billing system, he said, adding that Air India was informed of the same in the last week of February 2021. According to the minister, SITA’s data centre is in Atlanta, USA along with Air India’s PSS data.
4.5 million customers affected in the cyber attack: Air India
In a statement on May 15, Air India reported the data breach which compromised the personal details and information of 4.5 million customers. The airline’s passenger system, managed by IT software company SITA which works exclusively with the global airline industry, suffered a cyber-security attack in February this year.
“This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world,” AI said in a statement.
While the national carrier said that credit and debit card information of customers was not leaked as part of the breach as SITA does not store such information, passenger details like name, date of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data was compromised.
The hackers managed to extract customer information, barring payment details, that was registered on the SITA-AI system between 2011 and 2021, the statement said. It also added that while the two entities will take remedial actions, passengers should change their passwords (on the AI website) to ensure the safety of their personal data.
“While the level and scope of sophistication is being ascertained through forensic analysis and the exercise is ongoing, the service provider has confirmed that post incident , no unauthorized activity inside the PSS infrastructure has been detected. Air India meanwhile is in liaison with various regulatory agencies in India and abroad, and has apprised them about the incident in accordance with its obligations. Air India along with the service provider is carrying out risk assessment and would further update as and when it becomes available,” the Air India statement said.
Customers file legal notice seeking Rs 30 lakh in damages
The legal notice was sent to the state-owned airline by advocate Ashwani Kumar Dubey on behalf of Zee News Associate News Editor Ritika Handoo and PTI legal correspondent Pawan Singh and sought Rs 30 lakh in damages.
The notice said that since the breach “led to loss of my clients’ sensitive personal information, you the noticees are hereby liable to pay damages for causing wrongful loss of my clients’ informational autonomy, loss of their privacy, loss of dignity, loss of control over their data and for distress and mental injury for which I, call you the noticees to monetarily compensate my client with an amount of Rs. 30,00,000/- (Rupees Thirty Lakhs only) within a period of 15 days from the date of receipt of this notice.” The notice said that non-compliance would lead to “serious legal consequences”.
User data not secured: Referring to the airline’s privacy policy which claimed to keep user and company data equally safe, the notice said, “it is clear that you have falsely represented that the security services are of a high standard because it is the customer data that has been leaked and not any other Company data.” The notice called the claim deceptive and said that the journalists’ “informational autonomy” had been breached and that this amounted to a violation of their privacy, guaranteed under Article 21 of the Constitution. This was compounded, the notice said, by the journalists’ inability to control their personal data now that it was stolen.
Also read:
- Data Breach At Air India Comprised 4.5 Million Customers’ Data
- We need to know
- Clubhouse hack exposes data of 1.3m users, CEO says info already public
- Personal details of 533 million Facebook users, including 11 million Indians, leaked on hacking forum
