It's easy to feel jaded about data breaches given how often they happen. But it will raise eyebrows that hackers obtained data on loyalty flyers of Cathay Pacific, Finnair, Japan Airlines, Lufthansa, Malaysia Airlines, Singapore Airlines, United, and other carriers by exploiting a SITA tech system not used by most of them.
More than two million travelers enrolled in the frequent flier programs of at least ten airlines had some of their data hacked, according to messages they received recently from the carriers.
Cathay Pacific, Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, New Zealand Air, SAS, Singapore Airlines, and United contacted their customers about the incident.
UPDATE: American Airlines and British Airways informed affected passengers on Friday afternoon. It now appears the breach affected all carrier members of Star Alliance and the One World alliance.
The carrier most affected appeared to be Lufthansa Group, with 1.3 million records accessed. Singapore Airlines, said that hackers accessed data on about 580,000 passengers who belong to its various loyalty programs. Finnair said hackers accessed records for 200,000 loyalty members.
Airline statements said the hack posed only a modest risk to members because they believe hackers only accessed basic data, such as a passenger’s name, tier status in a loyalty program, and membership number.
SITA confirmed the incident on February 24 and publicly disclosed it yesterday. United Airlines said SITA told it on February 27.
It was unclear how long hackers had access to the system. Some airline officials said it spanned a period of up to a month. Malaysia Airlines suggested in a statement that hackers may have had access to records relating to membership between 2010 and 2019, for example.
Airline statements generally said the data breach excluded member passwords, credit card information, or other personal customer data such as itineraries or passport numbers.
For example, United sent an email to customers noting that “frequent flyer data stored in the third-party system, specifically first and last name, MileagePlus number, and Star Alliance tier status (Star Gold or Star Silver only)” was all that was exposed.
It wasn’t clear if hackers or people the hackers shared the data with attempted to access member loyalty accounts to move points into cash via tools such as at e-commerce tech partner Points.com. The airlines said in statements that they were monitoring any suspicious activity concerning its members’ accounts.
SITA’s Data Breach
The cybersecurity incident involved the Horizon passenger service system servers of SITA (Société Internationale de Télécommunications Aéronautiques), a technology provider owned by the airline industry and based in Geneva. SITA said it had stored the relevant records in a data center run by one of its companies in Atlanta, Georgia.
A distinctive aspect of the data breach is that most of the airlines are not customers of SITA’s passenger service system, an operational tool that helps airlines with critical functions.
It’s common for alliance members to recognize the frequent flyer scheme tiers of the passengers they carry. That practice requires the sharing of frequent flyer data among alliance members and the tech vendors that serve those alliance members.
“SITA’s passenger service system was holding the data of airlines that are not its direct customers, but are alliance members because other airlines that are SITA passenger service system customers have an obligation to recognize the frequent flyer status of individual passengers and ensure that such passengers receive the appropriate privileges when they fly with them,” said spokesperson Edna Ayme-Yahil on Friday.
Jeju Air, a low-cost carrier based in South Korea, was the only one of the publicly disclosed affected airlines that is a customer of SITA’s Horizon passenger service system. Hackers also accessed the data of Jeju Air, the carrier said. It doesn’t belong to one of the major global alliances.
Data security publication The Register on Friday reported an airline spokesperson as saying the attack began in late January after a hacker entered via SITA’s passenger service system used by “an Asian carrier.”
Full Scope of the Breach Unknown
Star Alliance has 26 member carriers, including some that haven’t made public statements yet about a breach.
Jeju Air belongs to a “value alliance” with several other low-cost carriers.
“No ‘value alliance’ frequent flyer program data was stored on the SITA PSS frequent flyer program records server,” said the SITA spokesperson.
Data breaches have happened before in the travel sector.
British Airways suffered a 2018 incident that exposed details of more than 400,000 of its customers. In October 2020, the UK’s data protection regulator reduced a fine over the incident to about $27 million (£20 million).
Sabre reported a major data breach in mid-2017, when hackers stole more than 1 million customer credit cards, affecting its hotel booking system. The Southlake, Texas-based company agreed to a $2.4 million settlement in December.
For more context, see Ransomware Attacks on Travel Companies Spread, Sparking Complacency Fears.
UPDATE: Story was updated to add details from a response from a United Airlines spokesperson and updates due to messages from American Airlines and British Airways.
Skift Daily Newsletter
Get the travel industry’s daily must-read email 6 days a week
Photo credit: A Lufthansa Group business lounge at Frankfurt Airport for members of its loyalty program. The airline's loyalty program was one of many victimized by a hack of tech vendor SITA's systems. Lufthansa Group