A “highly sophisticated” cyber attack has comprised frequent flyer data for hundreds of thousands of travelers from airline loyalty programs around the world.
Cyber Attack Harvests Frequent Flyer Data
SITA is one of the largest aviation IT companies in the world and purportedly serves over 90% of airlines (though it does not disclose its client list). Airlines utilize SITA’s passenger service system (PSS) to manage several facets of travel including ticketing, frequent flyer programs, and even aircraft departures.
In a rather cryptic statement on its website on Thursday, SITA noted it had been the “victim of a cyberattack” in February, calling it “a highly sophisticated attack.”
After confirmation of the seriousness of the data security incident on February 24, 2021, SITA took immediate action to contact affected SITA PSS customers and all related organizations.
Already, several airlines have informed their members of the data breach, including:
- Air New Zealand
- Finnair
- Jeju Air
- Malaysia Airlines
- Singapore Airlines
SITA also works on behalf of all Star Alliance carriers, including Lufthansa and United.
Air New Zealand told its members in an email that the breach focused on frequent flyer date, however was limited to “your name, tier status and membership number.”
“This data breach does not include any member passwords, credit card information or other personal customer data such as itineraries, reservations, ticketing, passport numbers, email addresses or other contact information.”
Singapore Airlines confirmed that 580,000 of its members were compromised. It also added that passwords, reservations, and credit card information were not hacked. While Singapore Airlines is not a direct client of SITA, it explained:
“All Star Alliance member airlines provide a restricted set of frequent flier program data to the alliance, which is then sent on to other member airlines to reside in their respective passenger service systems.
“This data transfer is necessary to enable verification of the membership tier status, and to accord to member airlines’ customers the relevant benefits while traveling.”
CONCLUSION
It is not clear what the hackers were targeting, but it does appear the information gathered was limited to frequent flyer numbers associated with your name. The breach is an important reminder that our data is vulnerable, yet we should still exercise caution in how we safeguard it.
Matt, thanks for the factual report you’ve gleaned from media and FFP sources. The breach was outside of Star Alliance systems, as you noted. We carried out an immediate assessment of our systems. There are no indications that they have been affected. As correctly stated by SQ, only a limited subset of data is shared in order to recognize FFP premium flyers across their alliance journey and accord them their benefits. Shame on your graphic, as it was not Star Alliance systems that were hacked. I’m at your disposal for more dialogue.
I got a warning email from United about this