SITA, a data firm that works with some of the world’s largest airlines, announced Thursday that it had been the victim of a “highly sophisticated cyberattack,” the likes of which compromised information on hundreds of thousands of airline passengers all over the world.
The attack, which occurred in February, targeted data stored on SITA’s Passenger Service System servers, which are responsible for storing information related to transactions between carriers and customers. One of the things SITA does is act as a mechanism for data exchange between different airlines—helping to ensure that passenger “benefits can be used across different carriers” in a systematized fashion.
Understanding what specific data the hackers accessed is, at this point, a little tough—though it would appear that some of it was frequent flier information shared with SITA by members of the Star Alliance, the world’s largest global airline alliance.
An airline alliance is basically an industry consortium, and Star’s membership is comprised of some of the world’s most prominent airlines—including United Airlines, Lufthansa, Air Canada, and 23 others. Of those members, a number have already stepped forward to announce breaches in connection with the attack—and SITA itself would appear to have acknowledged that the affected parties are connected to alliance memberships.
One Alliance member, Air New Zealand, recently wrote to customers that “some of our customers’ data as well as that of many other Star Alliance airlines” had been affected by the SITA attack. Similarly, Singapore Airlines recently told its customers that some of its data had been affected by the breach because “Star Alliance member airlines provide a restricted set of frequent flyer programme [sic] data to the alliance, which is then sent on to other member airlines to reside in their respective passenger service systems.”
It’s unclear whether all of the Star Alliance members have been affected. A SITA representative told TechCrunch that the breach “affects various airlines around the world, not just in the United States,” but declined to name all of them. We have reached out to SITA for comment and will update if they reply.
So far, it would appear that the nature of the breach is more wide than deep. That is, a lot of people seem to have been affected, though in most cases the data that was being shared with SITA does not seem that extensive. In the case of Singapore Airlines, for instance, upwards of 500,000 people had their data compromised, though the data did not include things like member itineraries, passwords, or credit card information. The airline has stated:
Around 580,000 KrisFlyer and PPS members have been affected by the breach of the SITA PSS servers. The information involved is limited to the membership number and tier status and, in some cases, membership name, as this is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer.
So...having a hacker know how often you fly doesn’t really seem that bad, right? However, even if the SITA breach isn’t that extensive, it’s yet another great example of what kind of problem third parties pose for organizations within a supply chain—and what an appealing target they make for hackers. Because of the convoluted ways in which personal data is collected, stored, and shared, it’s incredibly easy for security officials to miss the weakest link in an industry’s chain. On the other hand, it can be incredibly easy for a hacker to spot one.