Air India data breach highlights concerns around third-party risk and supply-chain security

A cyberattack on systems at airline data service provider SITA has resulted in the leaking of personal data of 4.5 million passengers worldwide, Air India told its customers earlier this month. The data breach highlights the risk posed to airlines and their customers of third-party IT systems.

SITA first notified the airline of the breach on February 25, 2021, but it wasn’t until March 19 that Air India disclosed it on its website. And while Air India received further details of the extent of the breach on March 25 and April 5, it waited until May 15 before passing them on to its customers.

The compromised dataset comprises passenger information collected between August 26, 2011 and February 3, 2021. It includes names, contact information, dates of birth, passport details, ticket information, and credit card details—although the Card Verification Values (CVVs) of the compromised cards are not stored by the system, Air India said.

Since the breach was disclosed, SITA has reported no unauthorized activity in the passenger service system’s infrastructure.

The incident is the second major data breach to affect an Indian airline in the last two years. In January 2020, a security researcher revealed that SpiceJet suffered a data breach that led to the compromise of 1.2 million passenger records.

Growing concerns around third-party risk management

The Air India data breach is not a standalone incident. The cyber-attack on SITA’s passenger service system affected Singapore Airlines, Lufthansa, Malaysia Airlines and Cathay Pacific as well.

Following the breach disclosure, security experts have highlighted the criticality of managing third-party risks and securing the supply chain.

David Sygula, senior cybersecurity Analyst as CybelAngel, explained that as organizations are relying on cloud providers to drive digital transformation, managing third-party risk is critical in the present day.

“Organizations must constantly scan for leaked documents outside the enterprise perimeter, including connected storage, open databases, cloud applications, and the dark web to uncover confidential and sensitive data quickly, before it is exploited,” he said.

Almost all recent data breaches can be attributed to either shortcomings in technology or in user behavior. As Dipesh Kaura, general manager at Kaspersky (South Asia) explains, “While enterprises build a robust security infrastructure for their networks, they often fail to protect themselves from the two other equally important aspects: human error and third-party service providers.”

While airline companies deploy state-of-the-art firewalls and set up next-gen security practices, Sonit Jain, CEO of GajShield Infotech believes they turn a blind eye to managing vulnerabilities and risk stemming from supply chain systems and third-party data processors.

“Though no airline systems were directly attacked, it raises concern on how cyber attackers are finding it easy to use third-party services and product providers, rather than spend effort and time penetrating the cyber defenses of an enterprise,” he said.

Security audits are no silver bullet

In 2016, Air India stated that its cybersecurity infrastructure would be augmented with the implementation of the National Critical Information Infrastructure Protection Center (NCIIPC) recommended framework. Additionally, the airline said that committees would be formed to assess and mitigate any security incidents and oversee the progress of policy implementation.

However, none of these measures could thwart the data breach, and is further proof that testing for vulnerabilities and assessing risks cannot be left to auditors and regulators.

“First and foremost organizations constantly neglect to implement basic security controls; these defects are then not detected by auditors and regulators. Secondly the lack of adequate monitoring and detection means that security breaches go unnoticed for months,” said David Spinks, chairman and moderator of Global Digital Identity (GDI).

Lessons for airline CISOs

For Kaura, it’s evident that humans are the weakest link in the cybersecurity ecosystem, and therefore it’s important for organizations to train their non-IT staff and make them aware of phishing, malware, and brute force attacks.

For Sonit Jain, on the other hand, it’s prudent to limit the amount of data shared with third-party vendors.“You need to be as diligent with third parties as you are with your own enterprise. Any weakness in this link will only weaken your enterprise security,” he said.

In addition to this, he believes organizations shouldn’t lock on to a single vendor and that it’s essential to plan an exit strategy. It would also help if employees of the partner company follow the same policies as the organization’s own employees.

The Air India security incident serves as a good learning for airline companies not only in India, but also across the globe, given the reliance on third-party data processors and supply chain vendors.