SITA, a large data company that works with some of the largest airlines in the world, announced Thursday who had been the victim of a “highly sophisticated cyber attack”, the kind that compromised information on hundreds of thousands of airline passengers around the world.
The attack, which occurred in February, targeted data stored on SITA’s Passenger Service System servers, responsible for storing information related to transactions between operators and customers. One of the things that SITA does is to act as a data exchange mechanism between different airlines, helping to Make sure “Passenger benefits can be used on different carriers” in a systematic way.
Understanding what specific data the hackers accessed is, at this point, a little difficult – although it appears that some of it was frequent flyer information shared with SITA by members of the Star Alliance, the largest global airline alliance in the world.
An airline alliance is basically an industry consortium, and Star’s membership is made up of some of the most prominent airlines in the world – including United Airlines, Lufthansa, Air Canada and 23 others. Of these members, several have already come forward to announce violations in connection with the attack – and SITA itself appears have recognized that the affected parties are connected to alliance members.
An Alliance member, Air New Zealand, recently wrote to customers that “some data from our customers, as well as many other Star Alliance airlines” were affected by the SITA attack. Similarly, Singapore Airlines recently told your customers that some of your data has been affected by the breach because “Star Alliance member airlines provide a restricted set of frequent flyer programs [sic] data for the alliance, which are then sent to other member airlines to reside in their respective passenger service systems. “
G / O Media can receive a commission
It is unclear whether all members of the Star Alliance were affected. A representative from SITA said TechCrunch that the breach “affects several airlines around the world, not just in the United States,” but declined to name them all. We have contacted SITA for comment and will update if they respond.
So far, it appears that the nature of the breach is broader than profound. In other words, many people appear to have been affected, although in most cases the data being shared with SITA does not appear to be as extensive. In the case of Singapore Airlines, for example, more than 500,000 people had their data compromised, although the data didn’t include items like member itineraries, passwords, or credit card information. The airline declared:
About 580,000 KrisFlyer and PPS members were affected by the breach of SITA’s PSS servers. The information involved is limited to member number and tier status and, in some cases, member name, as this is the full extent of frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this transfer of data.
So … having a hacker knowing how often you fly doesn’t seem so bad, right? However, even if the SITA breach is not as extensive, it is yet another great example of what kind of problem third the parties represent for organizations within a supply chain – and what an attractive target they are for hackers. Because of the complicated ways in which personal data is collected, stored and shared, it is incredibly easy for security officials to lose the weakest link in an industry chain. On the other hand, it can be incredibly easy for a hacker to detect one.