Data on hundreds of thousands of airline passengers around the world has been hacked via a “highly sophisticated” attack on the IT systems operator that serves around 90% of the global aviation industry.
Sita, which serves the Star Alliance of airlines including Singapore Airlines, Lufthansa and United, said on Thursday it had been the victim of a cyber attack leading to a breach of passenger data held on its servers.
The Geneva-based company, which runs passenger processing systems for airlines such as ticketing and baggage control, said the incident occurred on 24 February.
Sita took “immediate action” to contact affected customers and all related organisations, Sita said in a statement.
“We recognise that the Covid-19 pandemic has raised concerns about security threats, and, at the same time, cyber-criminals have become more sophisticated and active. This was a highly sophisticated attack.
“Sita acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by Sita’s security incident response team with the support of leading external experts in cyber-security.”
Sita had informed Malaysia Airlines, Singapore Airlines, Finnair and a South Korean carrier called Jeju Air that their passengers had been affected by the breach of its passenger service system (PSS) servers. SITA Passenger Service System (US) Inc operates passenger processing systems for airlines are stored on servers in its data centre in Atlanta in the US.
Passengers of Lufthansa, Cathay Pacific and Air New Zealand were also affected. ANZ pcustomers received an email from the airline on Friday to say that “some of our customers’ data as well as that of many other Star Alliance airlines” had been affected.
Star Alliance, which also includes Air China, Swiss and Air Canada, shares data between carriers to ensure benefits can be spread among each member airline.
The breach was linked to frequent flyer data but was limited to “your name, tier status and membership number”, the email from Air New Zealand said.
“This data breach does not include any member passwords, credit card information or other personal customer data such as itineraries, reservations, ticketing, passport numbers, email addresses or other contact information,” passengers were told.
This article has been amended to make clear that Sita is based in Switzerland, not the United States. SITA Passenger Service System (US) Inc operates in Atlanta.