A cyberattack on systems at airline data service provider SITA has resulted in the leaking of personal data of 4.5 million passengers worldwide, Air India told its customers earlier this month. The data breach highlights the risk posed to airlines and their customers of third-party IT systems.SITA first notified the airline of the breach on February 25, 2021, but it wasn\u2019t until March 19 that Air India disclosed it on its website. And while Air India received further details of the extent of the breach on March 25 and April 5, it waited until May 15 before passing them on to its customers.The compromised dataset comprises passenger information collected between August 26, 2011 and February 3, 2021. It includes names, contact information, dates of birth, passport details, ticket information, and credit card details\u2014although the Card Verification Values (CVVs) of the compromised cards are not stored by the system, Air India said.Since the breach was disclosed, SITA has reported no unauthorized activity in the passenger service system\u2019s infrastructure.The incident is the second major data breach to affect an Indian airline in the last two years. In January 2020, a security researcher revealed that SpiceJet suffered a data breach that led to the compromise of 1.2 million passenger records.Growing concerns around third-party risk managementThe Air India data breach is not a standalone incident. The cyber-attack on SITA\u2019s passenger service system affected Singapore Airlines, Lufthansa, Malaysia Airlines and Cathay Pacific as well.Following the breach disclosure, security experts have highlighted the criticality of managing third-party risks and securing the supply chain.David Sygula, senior cybersecurity Analyst as CybelAngel, explained that as organizations are relying on cloud providers to drive digital transformation, managing third-party risk is critical in the present day.\u201cOrganizations must constantly scan for leaked documents outside the enterprise perimeter, including connected storage, open databases, cloud applications, and the dark web to uncover confidential and sensitive data quickly, before it is exploited,\u201d he said.Almost all recent data breaches can be attributed to either shortcomings in technology or in user behavior. As Dipesh Kaura, general manager at Kaspersky (South Asia) explains, \u201cWhile enterprises build a robust security infrastructure for their networks, they often fail to protect themselves from the two other equally important aspects: human error and third-party service providers.\u201dWhile airline companies deploy state-of-the-art firewalls and set up next-gen security practices, Sonit Jain, CEO of GajShield Infotech believes they turn a blind eye to managing vulnerabilities and risk stemming from supply chain systems and third-party data processors.\u201cThough no airline systems were directly attacked, it raises concern on how cyber attackers are finding it easy to use third-party services and product providers, rather than spend effort and time penetrating the cyber defenses of an enterprise,\u201d he said.Security audits are no silver bulletIn 2016, Air India stated that its cybersecurity infrastructure would be augmented with the implementation of the National Critical Information Infrastructure Protection Center (NCIIPC) recommended framework. Additionally, the airline said that committees would be formed to assess and mitigate any security incidents and oversee the progress of policy implementation.However, none of these measures could thwart the data breach, and is further proof that testing for vulnerabilities and assessing risks cannot be left to auditors and regulators.\u201cFirst and foremost organizations constantly neglect to implement basic security controls; these defects are then not detected by auditors and regulators. Secondly the lack of adequate monitoring and detection means that security breaches go unnoticed for months,\u201d said David Spinks, chairman and moderator of Global Digital Identity (GDI).Lessons for airline CISOsFor Kaura, it\u2019s evident that humans are the weakest link in the cybersecurity ecosystem, and therefore it\u2019s important for organizations to train their non-IT staff and make them aware of phishing, malware, and brute force attacks.For Sonit Jain, on the other hand, it\u2019s prudent to limit the amount of data shared with third-party vendors.\u201cYou need to be as diligent with third parties as you are with your own enterprise. Any weakness in this link will only weaken your enterprise security,\u201d he said.In addition to this, he believes organizations shouldn\u2019t lock on to a single vendor and that it\u2019s essential to plan an exit strategy. It would also help if employees of the partner company follow the same policies as the organization\u2019s own employees.The Air India security incident serves as a good learning for airline companies not only in India, but also across the globe, given the reliance on third-party data processors and supply chain vendors.