United, British Air Sound Alarm on Alliance Data Breach
(Bloomberg) -- British Airways, United Airlines Holdings Inc. and Singapore Airlines Ltd. were among carriers affected by a cyberattack that hit the Star and Oneworld alliances, exposing some loyalty-program member information.
SITA Passenger Service System Inc.’s processing services were hit by a “highly sophisticated but limited” breach that targeted personal data stored on servers at its data center in Atlanta, the company confirmed in an emailed statement. The problem was identified on Feb. 24, and the hackers were able to access the data for less than a month, it said. SITA PSS is a unit of SITA Group, a closely held international group of companies based in Geneva.
The breach potentially exposes information belonging to frequent flyers worldwide, with 26 member airlines in the Star Alliance and 13 in Oneworld. SITA is still notifying affected airlines and declined to specify what data was compromised. The extent to which each carrier was affected varies, it said. The information collected by SITA PSS was used to facilitate awards of frequent flyer miles and other privileges recognized by each alliance’s member airlines.
SITA said it “immediately mobilized” experts to address the breach and that “the matter remains under active investigation.”
Exposed information didn’t include financial information or passwords of British Airways customers, and wasn’t a breach of the carrier’s systems, the airline said by email. Executive Club members’ names, membership numbers and some of their preferences, such as seating, may have been accessed, it said. The carrier encouraged members to reset their program password.
American Airlines Group Inc. and United also said that only similar limited data was disclosed and didn’t include financial information or passwords that would allow access to individual loyalty accounts. The carriers said their own information systems weren’t compromised. SITA only had information for United’s premium frequent flyers, meaning that passengers in the general program wouldn’t have been affected, the airline said.
Singapore Airlines told members of its KrisFlyer loyalty program in an email that about 580,000 of them were affected and that exposed data included their plan membership number, tier status and, in some cases, their name. That data is all the carrier shares with other Star Alliance members, and credit card information and travel details weren’t involved, it said. Cathay Pacific Airways told its customers that the breach didn’t involve its systems and said their accounts remain secure.
Star Alliance said it collects minimal data from customers so that member airlines can recognize premium customers of each carrier in the group, while Oneworld said the breach didn’t directly affect its systems. Delta Air Lines Inc., a member of the SkyTeam Alliance, said there was “no indication” its information was exposed.
The cyberattack was reported earlier by the Business Times.
©2021 Bloomberg L.P.