Aviation IT company SITA has been breached in what appears to be a coordinated and sophisticated cyber attack affecting hundreds of thousands of passengers that are members of Star Alliance airlines.
In a statement, SITA confirmed that it was the victim of a cyber attack on February 24, 2021 “involving certain passenger data” stored on its servers.
“After confirmation of the seriousness of the data security incident on 24 February 2021, Sita took immediate action to contact affected SITA PSS customers and all related organisations,” said SITA.
“We recognise that the Covid-19 pandemic has raised concerns about security threats, and, at the same time, cybercriminals have become more sophisticated and active. This was a highly sophisticated attack.”
Star Alliance has 26 member airlines. In an email to customers Leanne Geraghty, Air New Zealand’s chief customer and sales officer said: “We have recently been alerted that a Star Alliance partner has been impacted by a security data breach, involving some of our customers’ data as well as that of many other Star Alliance airlines.” However, she also confirmed that the data breach didn’t affect any passwords or credit card information stored by passengers.
“The Star Alliance member airlines share minimal frequent flyer data between each other and limited third parties to ensure benefits can be used across different carriers, for example access to member lounges,” Geraghty said.
Singapore Airlines, who admitted that roughly 580,000 of its own customers were affected by the breach, also reassured passengers that “it is not possible for someone to access any confidential customer data or their miles with only the leaked information.”
SITA provides IT and telecoms services to around 400 members in the industry, claiming to serve around 90% of the global airline business. In its statement it also said: “If you are the customer of an airline and have a Data Subject Access Request in relation to the handling of your personal data, this request must be made directly to that airline in accordance with GDPR and data protection legislation. SITA is unable to respond directly to any such request.”