A third-party IT vendor that manages ticket-processing and frequent-flier data for hundreds of major global airlines — including all Star Alliance and OneWorld members — says a “highly sophisticated” cyber attack has compromised the personal data of millions of travelers enrolled in loyalty programs.
Atlanta-based SITA confirmed on Thursday that cyber hackers had caused “a data security incident involving certain passenger data” stored on its servers, according to a statement. It appears that hackers were able to access some computer systems for up to a month before SITA became aware of the incident in late February.
SITA, which serves more than 400 airlines making up around 90% of the global aviation industry, said the airlines most affected were Lufthansa, Singapore Airlines and New Zealand Air. Those three airlines had a combined two million passenger records accessed.
During the pandemic, while Americans have been spending more time at home and less time traveling, cyberthieves have increasingly targeted loyalty program miles and points, according to a recent “State of the Internet” report from Akamai Technologies, the global cybersecurity platform.
After the Covid-19 lockdowns began in early 2020, Akamai noticed an uptick in loyalty program accounts being sold on the dark web. Between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks, and more than 63 billion of them targeted retail, travel, and hospitality sectors.
Singapore Airlines said in a statement that, while it was not a customer of SITA, data from over 580,000 frequent flier accounts was hacked because of its membership in Star Alliance.
“SITA has access to the restricted set of frequent flyer programme data for all 26 Star Alliance member airlines including Singapore Airlines,” said Singapore Airlines’ statement, adding that data sharing was necessary to verify membership tier status, “and to accord to member airlines’ customers the relevant benefits while traveling.”
At this point, at least 10 airlines have sent notification emails to frequent flier members notifying them that some personal data has been compromised.
Air New Zealand customers received an email on Friday saying that “some of our customers’ data as well as that of many other Star Alliance airlines” had been affected, but it was limited to “your name, tier status and membership number,” according to the email. “This data breach does not include any member passwords, credit card information or other personal customer data such as itineraries, reservations, ticketing, passport numbers, email addresses or other contact information,”
Likewise, in an email to frequent fliers, United Airlines recommended that customers should change their account passwords “out of an abundance of caution” but that the only customer data potentially accessed were names, frequent-flyer numbers and program status.
One reason that loyalty programs make easy targets is that they have a perception problem, according to the Akamai report. Many consumers don’t think of loyalty and rewards accounts as high risk, so they are more likely to use weak passwords.