An Air India flyer has sought damages from the airline after the recent leak of personal data of 4.5 million passengers including hers and her husband's.
A legal notice was sent to Air India management on Sunday by Ritika Handoo in which she said that the airline informed her about the breach on June 1, her lawyer said.
Terming the breach as a violation of her "right to be forgotten and informational autonomy", she sought a compensation of Rs 30 lakh.
Air India's passenger service system provider SITA faced a sophisticated cyberattack in February this year leading to the leak of personal data of 4.5 million passengers -- which included passengers of the national carrier -- from across the world, the email sent by the carrier said.
The breach involved personal data registered between August 26, 2011 and February 20, 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data.
"However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor, the email said.
More From This Section
Handoo, a Delhi-based journalist, in her notice to Air India accused it of "knowingly, intentionally and deliberately leaking the personal data and for breach of sensitive information.
Noticees (Air India) are the guilty of leaking the sensitive information and personal data of my client.
My client was shocked and alarmed to learn the recent security lapse of you the Noticees that has led to a massive personal data breach that includes sensitive personal information and personal data thereby, making my client's personal data open to exploitation, the notice sent through advocate Ashwani Kumar Dubey said.
Referring to Chapter VII of the Company's Customer Care Data Privacy Policy, the notice said that it clearly provides that all customers retain control over their data/information to the extent possible so as to change the personal information in your records except in exceptional circumstances where it's a law and order issue.
Now that my client does not have any control over personal information as the same is stolen, it violates my client's right to privacy and right to be forgotten as this loss of control over his personal data has led to a loss of my client's informational autonomy, which is guaranteed as a fundamental right by the Supreme Court in Justice K.S. Puttuswamy (Retd.) & Anr. Vs. Union of India & Ors, the notice said.
Data of 4.5 million passengers -- which includes Air India''s passengers -- across the world has been "affected" due to the cyberattack on SITA, the statement said. SITA is based out of Geneva in Switzerland.
"Air India would like to inform its valued customers that its passenger service system provider has informed about a sophisticated cyber-attack it was subjected to in the last week of February 2021," the airline had said.