SITA says in late February it confirmed a “highly sophisticated” cyber
attack that took place over multiple weeks – but “less than a month” – and involved
passenger data stored on its Horizon Passenger Service System.
The breach impacts several
airlines, including some that do not use SITA’s PSS system but whose frequent
flyer data passed through it.
Singapore Airlines, Finnair and
British Airways have acknowledged data from their frequent flyer programs was
breached in the incident.
Subscribe to our newsletter below
In a statement, Singapore Airlines
says, “While SIA is not a customer of the SITA PSS, this breach of the SITA PSS
server has affected some KrisFlyer and PPS [Priority Passenger Service] members.
All Star Alliance member airlines provide a restricted set of frequent flyer program
data to the alliance, which is then sent on to other member airlines to reside
in their respective passenger service system. ... One of the Star Alliance
member airlines is a SITA PSS customer. As a result, SITA has access to the restricted
set of frequent flyer program data for all 26 Star Alliance member airlines
including Singapore Airlines.”
Singapore Airlines says
about 580,000 of its KrisFlyer and PPS members have been affected.
SITA says in addition to Singapore Airlines, other Star Alliance
airlines impacted include Air New Zealand, Lufthansa and Aegean Airlines, with
the extent of the incident varying from one to another. And in addition to
Finnair and British Airways, SITA says other One World airlines such as
Malaysia Airlines, Japan Airlines, Cathay Pacific and Iberia have acknowledged an
impact to their frequent flyer programs. SITA also says JeJu Air in South Korea
is involved.
Singapore Airlines, as well as British Airways and Finnair, all
say the information accessed did not include financial details or passwords. In
most cases, it appears the breach accessed frequent flyer membership number,
tier status and, in some cases, membership name.
When
asked what is stored in its Horizon PSS, SITA says, “At minimum, passenger systems will
include a passenger’s name, itinerary and some form of contact information in
order to facilitate making a travel reservation. There may be additional
information as required by governments to enable travel or as optionally
provided by passengers to express their preferences and entitlements.”
Singapore Airlines, Finnair and British Airways have emphasized in
communications that the attack did not touch their internal systems.
It’s
unclear when the breach began but SITA says it confirmed the “seriousness” of
the attack on February 24 and then contacted affected PSS “customers and related
organizations.”
“By global and industry standards, we identified this
cyber-attack extremely quickly. Our investigations indicate that the total
period during which the cyber-attacker(s) were able to access our systems was
less than one month. We are confident in the countermeasures we have put in
place. At this time, all indications are that the cyber-attack stopped in
February. Of course, with this type of attack we know we must stay vigilant and
keep up our guard,” SITA says in an email.
SITA says it has retained a global law firm to provide
advice on legal and regulatory issues related to the attack.