Airline IT provider SITA – which provides technology services to 90 percent of the global aviation industry – has reported it has experienced a “serious” and “highly sophisticated” data breach on Feb. 24.
In a statement issued on March 4, Swiss-based SITA reported the incident involved passenger data stored on SITA Passenger Service Systems (PSS) servers hosted by its American subsidiary in Atlanta, Georgia. SITA further stated it has notified its customers and related organizations following the breach, and customers who may be affected have been advised to contact the airlines directly in accordance with GDPR and data protection legislation.
SITA handles online services for major global airlines including reservations, ticketing, managing departure times, and administration of rewards and frequent flyer programs.
Based in Geneva, Switzerland, SITA has more than 2,500 customers in over 200 countries and territories. The breach has reportedly affected Star Alliance and Oneworld member airlines.
Airlines that have confirmed the breach involving their frequent flyer programs and sent notifications to customers include United, American Airlines, Lufthansa, Cathay Pacific, Singapore Airlines, Air New Zealand, Malaysia Airlines, Finnair and Jeju Air.
In Japan, All Nippon Airways (ANA) and Japan Airlines (JAL) reported the data breach may have affected around 1 million and 920,000 customers respectively.
According to ANA, the Tokyo-based airline shares frequent flyer membership data with other Star Alliance members through SITA's servers. ANA further stated the affected customers are ANA Mileage Club premium members, and the data involved include names, membership numbers, and membership status. However, passwords and credit cards were not part of the leak.
Singapore-based Singapore Airlines – which has stated it is not a SITA PSS customer – reported some KrisFlyer and PPS members could be affected. While not a customer, SITA has access to a set of restricted frequent flyer program data of Star Alliance airlines including Singapore Airlines.
“The information involved is limited to the membership number and tier status and, in some cases, membership name, as this is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer,” said the airline in a statement.
It added KrisFlyer and PPS passwords, credit card information, and other information such as bookings, passport numbers, and emails were not affected.
The announcement comes after Malaysia Airlines reported a data breach involving its Enrich frequent flyer program through a “third party IT provider” between March 2010 and June 2019. (Flights in Asia)