SITA Passenger Service System Data Breach Impacts Multiple Air Carriers

SITA, a global provider of communication and IT solutions to the aviation industry, has suffered a breach of servers used for its Passenger Service System (SITA PSS). SITA PSS is used by many air carriers for processing airline passenger data as part of their frequent flyer programs.

Hackers accessed its servers in Atlanta, GA in what SITA describes as a highly sophisticated cyberattack. The hackers were able to obtain the data of several of the 26 airlines that are part of Star Alliance, the world’s largest global airline network. Star Alliance members known to have been affected include Lufthansa, Singapore Airlines, Malaysia Airlines, Air New Zealand, and SAS, although not all members of Star Alliance were affected. Non-Star Alliance airlines known to have been affected include Jeju Air, Cathay Pacific and Finnair, with more expected to be added to the list over the coming days.

SITA confirmed the severity of the breach on February 24, 2021 and notified affected Star Alliance members on February 27. SITA has not disclosed publicly exactly how many individuals have had their data compromised in the breach, but several million passengers are believed to have been affected. Singapore Airlines has confirmed publicly that around 580,000 members of its KrisFlyer and PPS programs have been affected.

Singapore Airlines said in its breach notification that it does not use the SITA PSS, but one unnamed Asian airline is a SITA PSS member which is why it was affected. Frequent Flyer program data is shared with other members of the Star Alliance to allow them to recognize the frequent flyer status of other airline carriers, so a breach affecting one SITA PSS member would also result in limited data relating to passengers of other Star Alliance members being compromised.

“All Star Alliance member airlines provide a restricted set of frequent flyer programme data to the alliance, which is then sent on to other member airlines to reside in their respective passenger service systems,” explained Singapore Airlines in its breach notice. “This data transfer is necessary to enable verification of the membership tier status, and to accord to member airlines’ customers the relevant benefits while travelling.”

SITA has notified all affected airlines and has provided them with information on the types of data compromised in the attack. While this differs from company to company, it would appear for the majority of airlines to be limited to frequent flyer account holder name, tier status, and membership number. Highly sensitive data such as card numbers, passport numbers, reservation information and contact information does not appear to have been compromised.

Due to the types of information obtained in the attack, the potential for misuse of the data is limited, but a breach on this scale could see the information used in phishing campaigns to obtain more sensitive data.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news