The data breach occurred at the facility of an Air India service provider and resulted in the personal information of 4.5 million customers being compromised.

The Ministry of Civil Aviation told parliament that Air India was still in the process of addressing passengers months after a cyber attack in the last week of February. In early July, two journalists sent a legal notice to Air India asking for compensation for the damage caused by the data breach.

The Minister of State for Civil Aviation, Gen. VK Singh, described the incident as a “cyber attack” and said: Answering inquiries from data protection authorities in coordination with SITA. “

No further information was provided on which data protection authorities the minister had referred to. The Personal Data Protection Act 2019, which could be tabled in the winter session of Parliament, has proposed the establishment of a data protection authority – the Data Protection Authority of India (DPA) entrusted with the “duty to protect the interests of” data controllers, prevent any misuse of personal data, ensure compliance with the provisions of the law and promote data protection. “

Why is it important? Cybercrime has increased since the beginning of the COVID-19 pandemic due to an increasing reliance on digital tools and the internet. According to a to learn of software company Micro Focus, Indian companies saw cybersecurity challenges increase by 58% in recent months, while the challenge to investigate or resolve incidents increased by 51%. Around 98% of Indian companies have a shortage of staff when it comes to security, the study says.

Singh announced that the data breach occurred at the facility of SITA, the passenger service system (PSS) provider for Air India. SITA discovered this breach on Feb. 8 when they observed an anomaly in their billing system, he said, adding that Air India was informed about it in the last week of February 2021. According to the minister, SITA’s data center is located in Atlanta, USA along with Air India’s PSS data.

4.5 million customers affected by cyber attack: Air India

In a May 15 statement, reported the data breach to Air India, which put the personal data and information of 4.5 million customers at risk. The airline’s passenger system, which is managed by the IT software company SITA, which works exclusively with the global aviation industry, suffered a cyber security attack in February this year.

“We would like to inform you that SITA PSS, our data processor of the passenger services system (which is responsible for storing and processing passengers’ personal data) has recently been exposed to a cybersecurity attack which resulted in the loss of personal data of certain passengers. This incident affected around 4,500,000 people worldwide, ”AI said in a statement.

While the national airline said customer credit and debit card information was not leaked as part of the breach, as SITA does not store such information, passenger information such as name, date of birth, contact information, passport information, ticket information, Star Alliance, and frequent flyer information is from Air India have been compromised.

The hackers managed to extract customer information registered in the SITA AI system between 2011 and 2021, excluding payment details, the statement said. It was also added that while the two companies will take remedial action, passengers should change their passwords (on the AI ​​website) to keep their personal information safe.

“While the level and extent of sophistication is being determined through forensic analysis and the exercise is in progress, the service provider has confirmed that no unauthorized activity was detected within the PSS infrastructure following the incident. Meanwhile, Air India is in contact with various regulators in India and abroad and has informed them of the incident in accordance with their obligations. Air India is carrying out a risk assessment together with the service provider and will continue to update it as soon as it becomes available, ”said the Air India statement.

Customers file legal notice to claim Rs 30 lakh in damages

The legal notice was sent to the state airline by attorney Ashwani Kumar Dubey on behalf of Zee News’ news editor Ritika Handoo and PTI’s legal correspondent Pawan Singh seeking Rs 30 lakh in damages.

The press release states that since the breach “has resulted in the loss of sensitive personal data of my clients, you, the terminations, are hereby liable for damages because you have illegally lost the informational autonomy of my clients, have lost their privacy, have lost their dignity.” , Control over your data and for emergencies and psychological injuries for which I call you the terminations in order to compensate my customers with an amount of Rs. 30,000,000 / – (rupees thirty lakhs only) within 15 days from the date of receipt of this notice. ”The notice stated that failure to comply would result in“ serious legal consequences ”.

User data not backed up: Referring to the airline’s privacy policy, which claims to protect user and company data equally, the notice states: “It is clear that you have falsely stated that security services are of a high standard because the customer data has been leaked and no other company data. ”The notice deceived the claim, saying that journalists’“ information autonomy ”had been violated and that this was an invasion of their privacy guaranteed under Article 21 of the Constitution. This was compounded by the journalists’ inability to control their personal information after the theft.

Also read: