The breach of passenger data at Air India may pose litigation risks for the airline that could further delay the privatisation process, warn experts, adding that the national carrier must prioritise efforts to contain the damage from the cyber attack by informing passengers about steps they can still take to prevent fraud.
In a press statement, the airline said that its passenger processing system, supplied by multi-national information technology company SITA, was a target of a sophisticated cyber attack on February 25. Nearly 45 lakh “data subjects” registered over a period of 10 years between August 2011 to February 2021 were affected around the world, including passengers of other airlines such as Singapore Airlines, Lufthansa, Cathay Pacific, United Airlines, among others. The attack was on SITA’s servers at its data centre in Atlanta, United States.
“A major impact it may have is that the current process of privatisation may go slow as there will always be fear of unquantified litigation risks. They (government) may be able to separate past versus future liabilities, but it opens up a new avenue for a discussion with potential bidders,” said Sivarama Krishnan, Leader-Asia Pacific, Cybersecurity, PwC.
The extent to which individual airlines were affected due to the cyber attack varied from one airline to another. Some airlines wrote to their passengers saying only passenger names and frequent flyer numbers were stolen. In the case of Air India, the theft pertained to “name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data (but no CVV data).”
Adopt remdial measures
Experts recommend that Air India must prioritise alerting its customers and asking them to take specific preventive steps, says Sanchit Gogia, Founder, Greyhound Research.
“The focus ought to be on remedial and protective measures rather than on investigation alone. Air India should be releasing a public advisory either through e-mails or SMSes asking customers to beware of dubious emails, SMSes or calls. Customers must be told to change their passwords and credit and debit cards immediately. This will go a long way in instilling confidence,” says Mr. Gogia.
At the same time, there is no need to panic. “There is nothing much a hacker can do just by having a passport number in isolation. If you have safeguarded your email ids, and changed passwords, these measures will go a long way in curbing the steps to hack you.”
So far, Air India has issued a notification on its websites for its passengers urging them to change their passwords. The airline has said that it is investigating the data security incident and taking steps to secure the compromised servers besides engaging external specialists of data security incidents and liasing with credit card issuers.
In response to an e-mail query, SITA said on Saturday, “By global and industry standards, we identified this cyber-attack extremely quickly. The matter remains under active investigation by SITA. Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories, including some personal data of airline passengers.”