Air India's Data Breach - data security is more crucial than ever.

Recent global events have demonstrated that high-profile hackers and state-sponsored security breaches have been steadily increasing since 2020. It is quickly becoming clear that no industry is immune to becoming a victim of a data breach, including the airline industry, where the safety of crew and passengers is jeopardised.

The world was shocked by the recent seizure of a civilian Ryanair jet over Belarus airspace on May 23, 2021, en route to Lithuania from Greece. For those unaware of this incident, the passenger jet was forced by a Belarusian fighter jet to divert to Minsk under the pretense of having a bomb on board. Instead, Belarus’ KGB security operatives were on the hunt for a known dissident, journalist Roman Protasevich, a prominent critic of Alexander Lukashenko, Belarus’ authoritarian leader.

The Belarus incident alone is sufficient to emphasise the importance of safeguarding passenger data from third parties, whether hackers or dangerous dictators. Worryingly, this is not the first instance of a data security breach in the airline industry in the last year. It was recently announced that Air India had suffered a massive data breach that compromised flyer data from August 2011 to February 2021. If nothing else, this news emphasises the importance of keeping passenger data secure through compliance with major data security rules.

What is Known about Air India’s Data Breach

Air India announced in May 2021 that its customer database had suffered a massive security breach. It informed its affected passengers that the “breach involved some personal data registered between August 2011 and February 2021” and that “no password data was affected.”

Approximately 4.5 million records may have been leaked in this massive security breach. Leaked data included passengers’:

• Name
• Contact information
• Date of birth
• Ticket information
• Passport information
• Credit card data
• Frequent flyer data

The circumstances surrounding Air India's security breach are unclear. The breach was discovered during a recent cybersecurity attack on the airline's third-party data processor, SITA PSS, which handles the storage and processing of passengers' personal information in the cloud.

Air India has stated that it first received notice of the breach from its data processor on February 25, 2021. However, they were not advised of the identities of the affected passengers until March 25 and April 5. The airline claims that no password data was breached. It further claimed that credit card data was not breached, and its data processor did not retain CVV/CVC numbers.

Air India Response to the Security Breach

In its response to its massive security breach, Air India announced it took the following steps to ensure passenger data safety by:

• Investigating the security breach
• Securing the servers that were compromised
• Working with external data security incident specialists
• Notifying and working with credit card issuers
• Resetting passwords for its Frequent Flyer program

The airline further stated:

Further, our data processor has ensured that no abnormal activity was observed after securing the compromised servers. While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data. The protection of our customers’ personal data is of highest importance to us, and we deeply regret the inconvenience caused and appreciate continued support and trust of our passengers.

What Needs to Be Done to Protect Business and Customer Data

The Air India security breach was India’s second major airline data breach within six months. In December, IndiGo’s servers were hacked, and the airline announced that it was possible that the stolen information could be uploaded on public websites and platforms by hackers.

The number of security breaches grew exponentially during the COVID-19 pandemic and continues with no stop in sight post-pandemic. Let’s also consider the recent high-profile attacks that have threatened critical infrastructures, such as the cyberattacks on the Colonial Pipeline in the United States and the world’s largest meat supplier JBS. No company is immune from falling victim to a cyberattack.

The question is whether companies like Air India and others are doing enough from a data security and data privacy point of view to protect themselves and their customers that put their trust in them. It is of the utmost importance that organizations take further steps to bulletproof their data from cyberattacks, especially if they are using external third-party services.

Compliance with best-practice data security guidelines and international standards is a significant step to prevent future breaches. Additionally, to mitigate the potential damage of breaches that may occur, it is of utmost importance that an organisation employs a strong encryption strategy and operational processes. To prevent unencrypted data being accessed by unauthorized parties, Air India must take steps to ensure that:

• Its data remains encrypted while at rest in its databases.
• Its data remains encrypted while in transit while it migrates between clients, applications, and Air India personnel.
• The HSMs must not be accessible by the third-party data processor.
• Only Air India performs all key management.
• Its encryption keys must never be with its third-party data processor and must remain stored in Air India’s vaulted data center.
• Third parties will not have access to readable data.
• The mandatory multifactor authentication of clients is implemented to generally limit the access to data to only authorized persons like passengers who can only view their personal data.

These steps towards best practice emphasizes the need for strong cryptography (using HSMs) and lifecycle key management - to enable a business to be confident that its sensitive data is (at rest or in use) is protected against breaches - so confidential data remains encrypted regardless of whether attackers gain access to it.

References and Further Reading

• Cloud Threat Report 2020 (2020), by Oracle Corporation & KPMG International Limited
• Selected articles on Bring Your Own Key (2017 - today), by Matt Landrock, Stefan Hansen, Ulrich Scholten and more

• Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
• Selected articles on Key Management in the Cloud (2017-today) by Edlyn Teske, Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more
• Key Management in a Multi-Cloud Environment - A blessing or a curse? (2017), by Johannes “Jo” Lintzen

• Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs

• Buyer's Guide to Choosing a Crypto Key Management System; Part 2: The Requirement for a Key Management System (2018), by Rob Stubbs

• Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs

• NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker

• Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more

• CKMS Product Sheet (2016), by Cryptomathic