Air India knew of compromised passenger list from cyber attack only by March-April

Dubai: Passengers affected by the data breach at Air India were only known in March and April, according to the national airline. But awareness of the breach itself was known in February, it said in a statement on Friday.

SITA PSS, Air India's data processor of the passenger service system, was subject to a cybersecurity attack, which affected 4.5 million passengers around the world. The name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit cards data registered between August 2011 and February 20, 2022, were leaked during the breach.

"While we had received the first notification in this regard from our data processor on 25th February, we would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25th March and 5th April," said Air India in an emailed statement to passengers.

When it comes to credit cards, the "CVV/CVC numbers are not held by our data processor," said Air India in its latest update.

Air India is investigating the incident, securing the compromised servers, notifying the credit card issuers, and resetting passwords of frequent flyer programme. "Further, our data processor has ensured that no abnormal activity was observed after securing the compromised servers," said Air India.