wordpress blog stats
Connect with us

Hi, what are you looking for?

Air India still in the process of ‘intimating’ passengers about February cyber attack: Civil Aviation Ministry


The data breach occurred at an Air India service provider’s facility and led to the personal details of 4.5 million customers being compromised.  

The Ministry of Civil Aviation informed the Parliament that Air India is still in the process of intimating passengers months after a cyber-attack was perpetrated in the last week of February. Earlier in July, two journalists had sent a legal notice to Air India seeking compensation for damages suffered due to the data breach.

Terming the incident as a ‘cyber-attack’, Minister of State for Civil Aviation, Gen (retd) V K Singh said, “However, Air India currently is discharging its obligations such as intimating passengers, intimating the Data Protection Authorities (DPAs), replying to the queries of DPAs in coordination with SITA.”

No further information was provided about which DPAs were referred to by the minister. The Personal Data Protection Bill 2019, which might be tabled in the Winter Session of Parliament, has proposed the establishment of a data regulator — The Data Protection Authority of India (DPA), which will be entrusted with the “duty to protect the interests of the data principals, prevent any misuse of personal data, ensure compliance with the provisions of the Act and promote about data protection.”

Why it matters? Cyber crimes have been on the rise ever since the COVID-19 pandemic began, due to an increased reliance on digital tools and the internet. According to a study by software firm Micro Focus, Indian organisations have experienced a 58% increase in cyber-security challenges over the last few months, while there was a 51% increase in the challenge to investigate or remediate incidents. Around 98% of Indian organisations are short-staffed when it comes to security, the study said.

Advertisement. Scroll to continue reading.

Singh informed that the data breach occurred at the facility of SITA, the provider of Passenger Services System (PSS) for Air India. SITA discovered this breach on February 8, when they observed some anomaly in their billing system, he said, adding that Air India was informed of the same in the last week of February 2021. According to the minister, SITA’s data centre is in Atlanta, USA along with Air India’s PSS data.

4.5 million customers affected in the cyber attack: Air India

In a statement on May 15, Air India reported the data breach which compromised the personal details and information of 4.5 million customers. The airline’s passenger system, managed by IT software company SITA which works exclusively with the global airline industry, suffered a cyber-security attack in February this year.

“This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world,” AI said in a statement.

While the national carrier said that credit and debit card information of customers was not leaked as part of the breach as SITA does not store such information, passenger details like name, date of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data was compromised.

The hackers managed to extract customer information, barring payment details, that was registered on the SITA-AI system between 2011 and 2021, the statement said. It also added that while the two entities will take remedial actions, passengers should change their passwords (on the AI website) to ensure the safety of their personal data.

“While the level and scope of sophistication is being ascertained through forensic analysis and the exercise is ongoing, the service provider has confirmed that post incident , no unauthorized activity inside the PSS infrastructure has been detected. Air India meanwhile is in liaison with various regulatory agencies in India and abroad, and has apprised them about the incident in accordance with its obligations. Air India along with the service provider is carrying out risk assessment and would further update as and when it becomes available,” the Air India statement said.

Customers file legal notice seeking Rs 30 lakh in damages

The legal notice was sent to the state-owned airline by advocate Ashwani Kumar Dubey on behalf of Zee News Associate News Editor Ritika Handoo and PTI legal correspondent Pawan Singh and sought Rs 30 lakh in damages.

Advertisement. Scroll to continue reading.

The notice said that since the breach “led to loss of my clients’ sensitive personal information, you the noticees are hereby liable to pay damages for causing wrongful loss of my clients’ informational autonomy, loss of their privacy, loss of dignity, loss of control over their data and for distress and mental injury for which I, call you the noticees to monetarily compensate my client with an amount of Rs. 30,00,000/- (Rupees Thirty Lakhs only) within a period of 15 days from the date of receipt of this notice.” The notice said that non-compliance would lead to “serious legal consequences”.

User data not secured: Referring to the airline’s privacy policy which claimed to keep user and company data equally safe, the notice said, “it is clear that you have falsely represented that the security services are of a high standard because it is the customer data that has been leaked and not any other Company data.” The notice called the claim deceptive and said that the journalists’ “informational autonomy” had been breached and that this amounted to a violation of their privacy, guaranteed under Article 21 of the Constitution. This was compounded, the notice said, by the journalists’ inability to control their personal data now that it was stolen.

Also read:

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ