Passenger data from multiple airlines around the world has been compromised after hackers breached servers belonging to SITA, a global information technology company.

Close to a dozen air carriers have informed passengers that some of their data has been accessed by an intruder breaching SITA's Passenger Service System (PSS), a service that handles transactions from ticket reservations to boarding.

The total number of travelers impacted remains unclear but the figure is over 2.1 million, most of them being participants in Lufthansa Group’s Miles & More frequent flyers and awards program, the largest in Europe.

Star Alliance, Oneworld airlines affected

SITA confirmed the cyberattack in a short public statement on Thursday saying that it contacted affected PSS customers and all related organizations.

A SITA representative told BleepingComputer that the intrusion impacts data of passengers from the airlines listed below. All companies have already informed their customers or issued a public statement about the breach.

  • American Airlines - major US-based airline 
  • Lufthansa - combined with its subsidiaries, it is the second-largest airline in Europe in terms of passengers carried; Star Alliance member and Miles & More partner
  • Air New Zealand - flag carrier airline of New Zealand
  • Singapore Airlines - flag carrier airline of Singapore
  • SAS - Scandinavian Airlines (disclosure here); 
  • Cathay Pacific - flag carrier of Hong Kong
  • Jeju Air - the first and largest South Korean low-cost airline
  • Malaysia Airlines - flag carrier airline of Malaysia
  • Finnair - flag carrier and largest airline of Finland

Some reports say that Japan Airlines is also affected. The first four companies in the list are part of Star Alliance, a global airline network with 26 members, Lufthansa being one of the five founders.

A larger number of carriers are likely impacted but SITA declined to name them before they publish statements about the breach.

SITA says that it confirmed "the seriousness of the data security incident on February 24, 2021," without disclosing how many individuals have been impacted or when the attack occurred.

A Lufthansa representative said in a statement for BleepingComputer that the hackers entered the reservation system of an Asian airline that is a Star Alliance member between January 21 and February 11.

Star Alliance received a notification from SITA about the PSS breach on February 27. Star Alliance says that they were informed that not all its member carriers are affected, but it does not exclude this possibility.

Singapore Airlines disclosed the breach on Thursday, explaining how data of approximately 580,000 members of its KrisFlyer frequent flyer program has been compromised. The company also emailed its customers saying that while it does not use SITA’s PSS, another Star Alliance member does, meaning that SITA has access to a restricted set of frequent flyer data shared by all Star Alliance members.

The Miles & More frequent flyer program counts among its partners 37 airline partners that include all 26 Star Alliance member. Other partners in the program are:

  • luxury and affordable hotels (Althoff, Hyatt, Marriott International, Jumeirah, Kempinski, Meliá, BestWestern, H-Hotels, HRS, Hyatt, IHG)
  • car rental companies (Sixt, Hertz, AVIS, Europcar, Enterprise, Budget)
  • shops for redeeming loyalty point (Dezerved, Heathrow Rewards, Heinemann, Lufthansa WorldShop, Bicester Village Shopping Collection, welcome Shop)
  • finance companies (UniCredit, Visa)
  • travel agencies (Get Your Guide, Kreuzfahrten)

Because the hackers breached the reservation system of the undisclosed Asian Airline that is also a Star Alliance member, customer data from Miles & More is also impacted by the incident - about 1.35 million participants in the program, many having the “frequent flyer” status, Lufthansa said.

The stolen information refers to the service card number, the status level, and, in some cases, the name of the participant. More sensitive details (passwords, email addresses) are not impacted.

Star Alliance confirmed to BleepingComputer that its members share customer details that are relevant to awarding traveling benefits and are limited to membership name, frequent flyer program membership number and program tier status.

To note, among the carriers affected by the breach - directly or indirectly - are members of the Oneworld airline alliance (Malaysia Airlines, Cathay Pacific, Finnair).

In emails to customers, Finnair disclosed that some of their frequent flyer data has been accessed as part of the SITA PSS breach. As in the case of Singapore Airlines, the company does not use PSS and the incident occurred because Finnair shares some frequent flyer data with its partners.

Yle reports that about 200,000 members of the Finnair Plus program are affected. However, the stolen data cannot be used to access accounts for that program. Also, the airline assesses that “the risk of this data being misused in other contexts is relatively low.”

Related Articles:

FCC orders telecom carriers to report PII data breaches within 30 days

Retail chain Hot Topic hit by new credential stuffing attacks

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

Fujitsu found malware on IT systems, confirms data breach

AT&T says leaked data of 70 million people is not from its systems