Airline technology provider SITA confirmed on 4 March that its servers were breached in a cyber-attack, “leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers, which operates passenger processing systems for airlines”. The company said it took “immediate action” after it confirmed the attack and contacted affected customers.
“We recognise that the COVID-19 pandemic has raised concerns about security threats, and, at the same time, cyber-criminals have become more sophisticated and active. This was a highly sophisticated attack,” the company said. “The matter remains under continued investigation by SITA’s Security Incident Response Team with the support of leading external experts in cyber-security.”
While SITA has not disclosed which airlines’ data were affected, some carriers have issued their own statements about the breach. Singapore Airlines said the breach affected around 580,000 members of its KrisFlyer and PPS programs. Although Singapore is not a SITA PSS customer, it—along with all other Star Alliance airlines—provide data from its frequent-flyer program to the alliance, which other member airlines using the system then store.
“The information involved is limited to the membership number and tier status and, in some cases, membership name, as this is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer,” according to Singapore Airlines’ statement. “Specifically, this data breach does not involve KrisFlyer and PPS member passwords, credit card information and other customer data, such as itineraries, reservations, ticketing, passport numbers and email addresses as SIA does not share this information with other Star Alliance member airlines for this data transfer.”
Both Malaysia Airlines and Finnair also have notified customers about the breach and encouraged them to change their loyalty program passwords as a precaution, though both also said they had no evidence that passwords were disclosed in the breach.