Singapore Airlines frequent flyer members hit in third-party data security breach

Data belonging to 580,000 Krisflyer and PPS members have been compromised in a cybersecurity attack that hit air transport IT company SITA, making Singapore Airlines the second carrier in the week to report a data breach.
Written by Eileen Yu, Senior Contributing Editor

Data belonging to 580,000 Singapore Airlines' frequent flyer members have been compromised in a cybersecurity attack that originally hit air transport communications and IT vendor, SITA. The incident marks the second time in a week that an airline has reported a data breach, which appears also to be the result of the attack targeting SITA.

While not a customer of SITA, Singapore Airlines (SIA) had shared a "restricted" set of data as a member of the Star Alliance group, the airline said in a statement late-Thursday. This was necessary to facilitate verification of membership tier status and provide customers of other member airlines the relevant benefits while they travelled. 

Such data would reside on the passenger service systems of member airlines, SIA said. The national carrier did not specify when it was informed by SITA about the breach, which impacted the latter's passenger service system servers. 

One member of Star Alliance had used this SITA system. The international airline alliance has 26 members, including Air Canada, United Airlines, and Lufthansa. 

Affected SIA customers were members of its KrisFlyer as well as higher tier PPS frequent flyer programme, the airline said, adding that compromised data was limited to the membership number and tier status, though, there were some instances in which membership name also was illegally accessed. 

The data leakage was relatively contained because these were the only details shared with the Star Alliance group. 

"Specifically, this data breach does not involve KrisFlyer and PPS member passwords, credit card information, and other customer data such as itineraries, reservations, ticketing, passport numbers, and email addresses," the Singapore carrier said. "We would also like to reassure all customers that none of SIA's IT systems have been affected by this incident."

On its part, SITA released a statement on its website confirming the security breach was the result of "a highly sophisticated attack". 

It said it ascertained the "seriousness" of the incident on February 24, after which it took "immediate action" to inform all affected customers. Adding that it deployed "targeted" containment measures, SITA said its security incident response team was investigating the breach alongside external cybersecurity experts. 

In an email response to ZDNet's questions, a SITA spokesperson declined to say when the breach was first discovered internally prior to the February 24 notification, citing "tactical and security reasons". She reiterated that investigations and forensic work were ongoing, and was unable to confirm how compromised systems were infiltrated. 

She also would not reveal which other organisations were impacted by the breach or the types of data that was compromised, as it still was in the process of informing all affected parties. 

She did, however, point to several airlines that already had reached out to their customers and made public statements confirming they were affected by the data breach. These included Jeju Air, Finnair, and Malaysia Airlines, she said. 

This indicated that SITA was involved in a breach reported earlier this week that affected Malaysia Airlines' Enrich frequent flyer members. While it had yet to make a public statement on the security incident, the airline told Enrich members it was the result of an attack that targeted a third-party IT service provider, which it did not name. 

In its note, which offered scant details of the breach, Malaysia Airlines said compromised information had included date of birth and contact information between the period of March 2010 and June 2019. 

In her response to ZDNet, the SITA spokesperson clarified that this timeframe referred to the date during which the compromised data was registered. It did not refer to the length of the window of compromise, which she revealed to be less than a month. 

According to SITA, the vendor has 2,800 customers including airlines, airports, and government agencies. Pre-pandemic, 146 million passengers used its in-flight mobile service, it said. 


Editorial standards