Air India has disclosed a data breach. While it had released information earlier, on 19th March, 2021, about a sophisticated cyber-attack on its Passenger Service System (PSS) provider. However, at that point of time, the national Airline could not disclose the extent of damage caused by the attack. It had also stated that it is in contact with various regulatory agencies in India and abroad and has apprised them about the incident in accordance with its obligations. However, Air India has now disclosed that the data breach has leaked data of 45 lakh users.
The airline has now said that its data processor of the PSS informed it of the breach on 25th February, 2021. However, the data processor clarified the identity of affected data subjects on 24th March, 2021 and 5th April, 2021. The breach involved personal data registered between 26th August 2011 and 3rd February, 2021.
The leaked details include name, data of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit cards.
After receiving the notification, the airline has taken the following measures to ensure safety of the data:
- Investigating the data security incident
- Securing the compromised servers
- Engaging external specialists of data security incidents,
- Notifying and liaising with the credit card issuers,
- Resetting passwords of Air India frequent flyer program
Although the airline says that no password data was affected, it has still asked passengers to change their passwords to ensure safety of their personal data.
Recent security breaches and data protection
Security breaches have seen a massive surge since the onset of the coronavirus pandemic. In past 3 moths, Domino’s leaked 13 TB of personal and financial data. Facebook leaked data of 61 lakh Indian users, and CERT-In had even issued an advisory. Once again, a security researchers found a Telegram bot selling user data from a different Facebook database. LinkedIn also leaked data of 500 mn users, while Upstox leaked data of 25 lakh users. Mobikwik exposed 35 lakh Indians, Moneycontrol data breach impacted 7 lakh Indians, and Zee5’s leak stood at 90 lakh users. But it’s not just limited to private entities, Mumbai’s Chinese sponsored blackout was the biggest news.
The Ministry of Home Affairs had informed the parliament that India faced 12 lakh cyber security incidents in 2020 alone.
Sadly, all of this is happening while India is still contemplating a new National Cyber Security Strategy, and a new data protection law. Even in this case, the breach disclosure comes very late. When Twitter failed to notify the Irish Data Protection Authority within 72 hours of discovering the breach as per GDPR, it was fined $546,000. Since this data breach pertains to users all around the world, it would be interesting to see as to how European Data Protection Commissioners reacts.