"What can airline passengers do to make sure that their personal data and credit card information do not end up in the hands of cybercriminals?"
If you’re a frequent flyer, you might want to check whether you’re one of those who could have been targeted by what’s been described as a “massive, highly sophisticated cyber attack” in the first quarter of this year.
The cyber hacking is reported to have affected almost all of the world’s airline companies, targeting 10 years worth of personal data of an estimated 4.5 million passengers, mostly those considered frequent flyers.
What’s been compromised are passenger service system (PSS) servers in the United States of the Geneva-based SITA, one of the biggest air transport industry companies in the world. SITA provides information technology (IT) and telecommunication services to 400 members and 2,800 customers, which SITA claims to comprise 90 percent of the world’s airline business.
SITA helps airlines manage reservations, ticketing, aircraft departures, airport operations and security, baggage, aircraft connectivity and in-flight cabin and cockpit operations, through its Horizon PSS.
SITA is one of just a few aviation IT providers offering passenger ticketing and reservation services to airlines across the globe. The others include the Texas-based Sabre Corporation and the Madrid-headquartered Amadeus IT Group.
And here’s what could prove worrisome for local air travellers: SITA provides airlines and border control (immigration) solutions in the Philippines, thus making its clients similarly vulnerable to, or at risk of, security breaches. The two leading airlines in the country, namely Philippine Airlines and Cebu Pacific Air, use SITA’s Horizon system.
Hence, companies and individuals wanting to hire the services of SITA would do well to think twice before doing so, because they could expose their highly sensitive and confidential corporate and personal data plus those of their clients and company-partners to serious security threats.
This is not the first time the air transport industry has been hounded by cyber crimes, as Sabre and Amadeus have been targeted in the past.
In 2017, Sabre’s hotel reservation system was compromised after hackers got hold of the credit card numbers of over a million of its customers. Sabre later agreed to a $2.4-million settlement and made changes to its cybersecurity policies.
In 2019, the passenger booking system of Amadeus was also targeted, with hackers able to access the traveller records of its customers. Air France, British Airways and Qantas were among the users of Amadeus’ booking system at the time.
This February, hackers managed to gain access to SITA’s PSS servers in its data center in Atlanta before the security breach was exposed. What happened? Hackers were able to obtain sensitive personal and financial data of airline passengers, including their names, dates of birth, passport and ticket details, and credit card information.
Air India, which uses SITA’s Horizon PSS, confirmed that the breach had compromised the personal data of about 4.5 million air passengers, including its flyers who registered with the airline between August 26, 2011 and February 3, 2021.
The companies affected by the cyber attack last February include Deutsche Lufthansa, Cathay Pacific, Air New Zealand, United Airlines, American Airlines, Singapore Airlines, Malaysia Airlines, Finnair and Jeju Air.
Aside from the airlines using SITA’s Horizon PSS, certain firms like Singapore Airlines fell victim to third-party breach because they belong to either the Star Alliance or OneWorld networks, some of whose member-airlines were using SITA’s hacked system. The frequent flyer information of Star Alliance and OneWorld member-airlines pass through SITA’s passenger service system so they could provide loyalty points to their passengers.
In a March 4 statement, Singapore Airlines explained that, “All Star Alliance member-airlines provide a restricted set of frequent flyer program data to the alliance, which is then sent on to other member- airlines to reside in their respective passenger service systems. This data transfer is necessary to enable verification of the membership tier status, and to accord to member-airlines’ customers the relevant benefits while travelling. One of the Star Alliance member airlines is a SITA PSS customer. As a result, SITA has access to the restricted set of frequent flyer program data for all 26 Star Alliance member airlines including Singapore Airlines.”
About 580,000 KrisFlyer and PSS member-passengers of Singapore Airlines are believed to have been targeted by this third-party data breach.
The extent of the cyber hacking’s impact has yet to be determined as of now because apart from the airlines using SITA’s Horizon system like Air India, and those victimized by third-party breach like Singapore Airlines, the partner-organizations of SITA other than the affected airline companies might have similarly suffered or remain vulnerable to possible data breaches.
For its part, SITA said it had taken swift action and initiated “targeted containment measures” to address the security incident, and that its investigation of the cyber attack continues.
Meanwhile, what can airline passengers do to make sure that their personal data and credit card information do not end up in the hands of cybercriminals? Perhaps our airlines can tell us exactly what we should do. Forewarned is forearmed.