Another data breach

Air India's delay in informing customers is inexplicable

Last week, state-owned airline Air India informed its customers that their data had been leaked. The airline said the company which managed their data, Atlanta-based SITA Passenger Service System, had been “subjected to a cybersecurity attack”, in which customers who had registered for an entire decade, between August 2011 and February 2021, had a large amount of identification data stolen. The hackers, reportedly, siphoned off this data over three entire weeks that they had access to the SITA PSS database. This data included their dates of birth, their passport information, and their credit card details. What was particularly dismaying is that the airline admitted that it had been informed of the breach by its subcontractor on February 25 — but had said nothing to its customers for the intervening three months. It claimed that it had been waiting for the exact details on which customers had suffered the breach. But even that information had been provided to it in March and April. The SITA hack is not Air India’s fault per se; millions of customers across several leading airlines were affected though few others as badly. Not all the airlines had stored the appropriate card information with SITA, and others were affected only through a partner in Star Alliance. (It is not confirmed which Star Alliance partner was the primary target, but Air India is also in Star Alliance.)

The crucial difference here is that the airlines affected, even tangentially, emailed their passengers immediately to warn them of the data breach. Singapore Airlines, British Airways, American Airlines, Finnair, Lufthansa, Aegean, United Airlines, and Ethiopian Airlines all notified their frequent flier customers immediately. Air India, however, aside from a cursory “general announcement” on their website weeks after they were notified, did nothing until last week. This reveals a lackadaisical approach to the security of customers’ data and online activity, which does not reflect well on the airline, particularly in comparison with how all its global peers have behaved. The fact is, each day that customers were left unaware of the breadth of the hack, they stood at greater risk of identity theft or online fraud. SITA PSS itself continues to claim that it provided details of the hack to its airline customers immediately that it was discovered. Air India has said it has spent the time conducting investigations, securing their servers, and speaking to the issuers of credit cards. But none of that activity precludes informing the customers whose data had been leaked. The delay from Air India in informing those most at risk is unconscionable.

India Inc has suffered multiple data breaches in recent times. Payments provider MobiKwik said that 100 million users’ information might have been stolen in March. Records that purported to be those of 20 million BigBasket users were leaked last month. Over the pandemic, companies and others promising secure medical information — including Jio and Dr Lal PathLabs — lost medical data. Among Air India’s competitors, SpiceJet suffered a breach last year of data related to 1.2 million customers. But Air India’s cavalier delay in informing customers stands alone even in this worrisomely long list. It is past time that proper data privacy regulations were implemented in India, which correctly penalise companies that fail to inform customers about data breaches.