UK regulator probes Air India's data leak impacting 4.5 mn passengers

EU and UK laws require airlines to incorporate data protection measures and report data breach to regulators within 72 hours. Non-compliance can invite steep fines

The United Kingdom’s data protection regulator is investigating the leak of Air India’s passenger data which has impacted 4.5 million customers globally.

India does not have a specific data protection law and a bill on the subject is pending in Lok Sabha since 2019. However, European Union and UK laws require airlines to put in place measures for data protection and report cases of data breach to regulators in the continent within 72 hours of becoming aware of it. Non-compliance or negligence can result in steep fines.

“Air India has reported an incident to us and we are investigating. Anyone who is concerned about their personal data should contact the airline first. If they are still not satisfied they can bring their concerns to the ICO,” said a spokesperson of the Information Commissioner’s Office, the UK’s data protection regulator.

In a May 15 notification to passengers Air India informed that personal data of 4.5 million customers was impacted following a cybersecurity attack on the servers of SITA, which provides passenger service systems to the airline.

This included personal data registered between August 2011 to February 2021 and includes passenger names, date of birth, contact information, passport information, ticket information, frequent flyer and credit card data.

While the airline received an intimation of the cybersecurity attack on February 25, it said the identity of the affected customers was made available by SITA on March 25 and April 5.

Though the airline is facing criticism for delay in informing passengers, an aviation source familiar with the matter said Air India undertook the necessary steps in accordance with law.

“As soon as the airline became aware of the data breach it reported the incident to all the regulators in Europe and other geographies in 72 hours. The airline has also engaged lawyers overseas following the incident to advise it on future actions. As of now there is no report of any adverse event or misuse of passenger credit cards,” the source

said.

Air India did not respond to an email query on the topic.

Earlier the airline said it has taken various steps following the incident including an investigation. It said compromised servers have been secured and external data protection specialists have been engaged. It has also liaised with credit card issuers.