1 November 2022, London Marriott Hotel County Hall
21 November 2022, Hilton London Metropole
November 2022, Virtual
Airline technology provider SITA this week acknowledged that it was hit last month by a "highly sophisticated" cyberattack targeting passenger data in its Passenger Service System servers, which serves a number of different airlines.
SITA in a statement did not detail what sort of data was targeted or stolen during the attack, which hit its US servers on 24 February, but said it "initiated targeted containment measures" and "took immediate action to contact affected SITA PSS customers and all related organisations." The incident remains under investigation, according to SITA.
While SITA has not disclosed which airlines' data were affected, some carriers have issued their own statements about the breach. Singapore Airlines, for one, said the breach affected around 580,000 members of its KrisFlyer and PPS programmes. Although Singapore is not a SITA PSS customer, it—along with all other Star Alliance airlines—provide data from its frequent-flyer programme to the alliance, which other member airlines using the system then store.
"The information involved is limited to the membership number and tier status and, in some cases, membership name, as this is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer," according to Singapore Airlines' statement. "Specifically, this data breach does not involve KrisFlyer and PPS member passwords, credit card information and other customer data, such as itineraries, reservations, ticketing, passport numbers and email addresses as SIA does not share this information with other Star Alliance member airlines for this data transfer."
Both Malaysia Airlines and Finnair also have notified customers about the breach and encouraged them to change their loyalty programme passwords as a precaution, though both also said they had no evidence that passwords were disclosed in the breach.
[Update, March 5] United Airlines also sent a note to customers encouraging them to change MileagePlus passwords "out of an abundance of caution," though the carrier said no passwords, personal information or other sensitive data was accessed beyond names, MileagePlus numbers and Star Alliance status.
American Airlines in a statement said the breach also involved "a limited amount of AAdvantage loyalty data," and like the other carriers, said it did not include passwords or financial information. The carrier has notified members who were affected by email, according to the statement.
A Delta Air Lines spokesperson said there has been no indication of exposure to the carrier.