Customer’s personal information is not safe online. Data breaches happen on an almost daily basis, exposing the customer’s email addresses, passwords, credit card numbers, social security numbers, and other highly sensitive data. Unfortunately, most people do not understand the gravity of the problem until it personally affects them through identity theft or other malicious activity. From DDoS assaults to cybersecurity exploits that result in a data breach, cyber-attacks present a growing threat to businesses, governments, and individuals (Thomason, 2013).
On May 21st, 2021, Air India was subjected to a cyberattack where the personal details of about 4.5 million customers around the world were compromised including passport, credit card details, birth dates, name, and ticket information. The breach affected customers who registered between August 2011 and late February 2021. Compromised data included customers’ names, date of birth, contact information, passport information, Air India frequent flyer data, and credit card data, although CVV/CVC numbers weren’t included and password data was not affected. Air India informed that the data processor of the passenger service system which is responsible for storing and processing of personal information of the passengers had been subjected to a cybersecurity attack leading to personal data leak of certain passengers. Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories, including some personal data of airline passengers. As the data leak contains the customer’s passport address, phone number, name, and other personal data, a new type of scam include a person, pretending to be a delivery executive, knocking at customer’s door with a random package, and forcing them to pay money for the same. This is the typical cash-on-delivery scam which includes the scammer manipulating and harassing the customers to pay for something that they haven’t ordered. Also, the customers may call from a so-called customer care executive from Air India, the bank or any other company that claims to fix an issue with customers account or talks about some credit card offers or protection plans. The customers may also receive any calls or messages that ask for an OTP that they have received on their phone number. With the amount of personal data, it’s very easy for scammers to manipulate the customers into a bigger scam. When personally identifiable information is stolen, it could greatly impact the user’s finances. A cybercriminal can use financial information for simple malicious activities such as paying bills, performing fraudulent online transactions, and transferring money out of victims’ bank accounts.
By global and industry standards, Air India has quickly identified the cyber-attack and the airline has now taken steps to ensure data safety, including investigating the data security incident, securing the compromised servers, engaging external specialists of data security incidents, notifying and liaising with the credit card issuers, and resetting passwords of Air India FFP program. While Air India continued to take remedial actions, they also encouraged passengers to change passwords wherever applicable to ensure the safety of their personal data.
Thomason, C. (2013). United States v. Nosal: Separating Violations of Employers’ Computer-Use Policies From Criminal Computer Hacking Invasions. Golden Gate University Law Review, 43(1), 163–177.