Air India recently disclosed suffering a data breach which exposed the personally identifying information of 4.5 million customers.
The breach exposed customers’ names, dates of birth, contact information, passport information, frequent flyer data, and some credit card information. Although passwords were not affected by the attack, the airline advises all customers to change their passwords as an extra security precaution.
The disclosure of the Air India data breach comes three months after air transport data giant SITA disclosed its own breach; in fact, the two are related, as investigators continue to assess the damage. According to reports, customers that registered between August 26, 2011, and February 3, 2021, were affected.
We spoke to several cybersecurity experts to learn more from the attack.
Air India Data Breach: Expert Commentary
Saryu Nayyar (she/her) is CEO of Gurucul.
“Once again, cyber-criminals are flying off with millions of personally identifiable data of airline passengers, just in time for summer travel. The data stolen can be used in social engineering scams to steal even more from these victims. The breach of third party IT Supplier to Air India, SITA, is to blame for this incident and numerous other breaches as SITA services 90 percent of the world’s airlines. I liken this to the Takata airbag recall in that most car manufacturers rely on Takata for their airbags. And most airlines rely on SITA for airport, border, and aircraft operations. It’s overwhelming to realize a single supplier can take down an entire industry… no one ever heard of SITA or Takata before these incidents. And now we’ll never forget them.”
Rajiv Pimplaskar is CRO of Veridium.
“While the exact cause of the SITA data breach is not yet known, it is clear that loyalty accounts, such as frequent flier or hotel rewards programs are prime targets or “honeypots” for credential theft since they contain rich Personally Identifiable Information (PII). Further, loyalty accounts have less stringent rules around password resets or reuse as compared to financial services accounts employing multifactor authentication (MFA) methods thereby making it easier for credential harvesting and lateral movement.
“Verizon’s Data Breach Investigations Report (DBIR) indicates that over 80 percent of data breaches use compromised credentials. Airlines and the hospitality industry need to accelerate their adoption of passwordless technologies such as “phone as a token” or FIDO2 security keys that eliminate this dependence on credentials. Passwordless authentication can reduce the attack surface of such breaches as well as limit the resulting data exposure. Finally, such authenticators have less friction and can be adopted by both employees and customers improving user experience and productivity.”
Trevor Morgan is Product Manager at comforte AG.
“Attackers often target central airline management systems. They present attractive targets because passenger data persists for booking management purposes over long periods of time. Passenger data is quite sensitive, too, including financial data, identity information, reservations, passports, and travel history data. Penetrating one of these systems presents a gold mine of information for attackers to hold hostage or sell.
By its very nature, travel data is global and therefore falls under a myriad of privacy and data security regulations from GDPR to CCPA and beyond. Airline and travel companies need to get the message that they have an ethical responsibility and a legal mandate to do everything they can to protect passenger information. Bare minimum data protection just won’t do. This data, especially, should always be protected with data-centric methods such as modern data tokenization or format-preserving encryption technology. These data security methods protect the data itself rather than the perimeters around or access to it. By obfuscating the sensitive parts of data with benign tokens, data-centric security deters attackers from leveraging any data they steal. As we can see with the SITA incident and its effect on Air India, passenger data is vulnerable to compromise and should be tokenized at first touch to head off any detrimental effects if it falls into the wrong hands. That way, no matter where the passenger—or the data—travels, the data remains secure.”