SITA, a technology company that provides services to the transportation industry and has 400 members based in Geneva, and who claims that most air passengers touch its technology during travels, was hacked.
Singapore Airlines today informed select KrisFlyer program members whose member information had been breached at SITA PSS. We have now added statements from Finnair, Lufthansa, and several other airlines.
Here’s an announcement from SITA:
SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers. Passenger Service System (US) Inc. (“SITA PSS”) operates passenger processing systems for airlines.
After confirmation of the seriousness of the data security incident on February 24, 2021, SITA took immediate action to contact affected SITA PSS customers and all related organizations.
We recognize that the COVID-19 pandemic has raised concerns about security threats, and, at the same time, cyber-criminals have become more sophisticated and active. This was a highly sophisticated attack.
SITA acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by SITA’s Security Incident Response Team with the support of leading external experts in cyber-security.
If you are the customer of an airline and have a Data Subject Access Request in relation to the handling of your personal data, this request must be made directly to that airline in accordance with GDPR and data protection legislation. SITA is unable to respond directly to any such request.
Here’s a warning that Singapore Airlines sent today:
Here’s a copy of the email that Finnair sent out (Google translate):
And here what Lufthansa has been emailing to their MIles&More members:
Latest one from Aegean’s Miles+Bonus
And British Airways Executive Club members are affected too!
American Airlines AAdvantage members are affected too!
United’s MileagePlus members are affected as well:
Ethiopian ShebaMiles sent the following message:
Conclusion
CORRECTION: We earlier incorrectly stated that SITA would have been owned or part of IATA. That is not the case. It provides services to more than 400 member airlines and cooperates with other industry bodies such as IATA.
At least in Singapore Airlines’ case, only the frequent flier number, name of the member, and tier level has been accessible through the SITA PSS hack.
Perhaps other airlines have used this platform to share more passenger information.
It is unclear what other information processed by SITA PSS on behalf of airlines has been accessed by these hackers and how widespread the breach has been. I would expect other airlines soon to follow with emails like the one from Singapore Airlines.