Airline technology provider SITA this week acknowledged that it was hit last month by a “highly sophisticated” cyberattack targeting passenger data in its Passenger Service System servers, which serves multiple airlines.
SITA in a statement did not detail what sort of data was targeted or stolen during the attack, which hit its U.S. servers on Feb. 24, but said it “initiated targeted containment measures” and “took immediate action to contact affected SITA PSS customers and all related organizations.” The incident remains under investigation, according to SITA.
While SITA has not disclosed which airlines’ data were affected, some carriers have issued their own statements about the breach. Singapore Airlines, for one, said the breach affected around 580,000 members of its KrisFlyer and PPS programs. Although Singapore is not a SITA PSS customer, it—along with all other Star Alliance airlines—provide data from its frequent-flyer program to the alliance, which other member airlines using the system then store.
“The information involved is limited to the membership number and tier status and, in some cases, membership name, as this is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer,” according to Singapore Airlines’ statement. “Specifically, this data breach does not involve KrisFlyer and PPS member passwords, credit card information and other customer data, such as itineraries, reservations, ticketing, passport numbers and email addresses as SIA does not share this information with other Star Alliance member airlines for this data transfer.”
Both Malaysia Airlines and Finnair also have notified customers about the breach and encouraged them to change their loyalty program passwords as a precaution, though both also said they had no evidence that passwords were disclosed in the breach.
[Update, March 5] United Airlines also sent a note to customers encouraging them to change MileagePlus passwords “out of an abundance of caution,” though the carrier said no passwords, personal information or other sensitive data was accessed beyond names, MileagePlus numbers and Star Alliance status.