Global air transport data giant SITA has confirmed a data breach involving passenger data.
The company said in a brief statement on Thursday that it had been the “victim of a cyberattack,” and that certain passenger data stored on its U.S. servers had been breached. The cyberattack was confirmed on February 24, after which the company contacted affected airlines.
SITA is one of the largest aviation IT companies in the world, said to be serving around 90% of the world’s airlines, which rely on the company’s passenger service system Horizon to manage reservations, ticketing, and aircraft departures.
But it remains unclear exactly what data was accessed or stolen.
When reached, SITA spokesperson Edna Ayme-Yahil declined to say what specific data had been taken, citing an ongoing investigation. The company said that the incident “affects various airlines around the world, not just in the United States.”
SITA confirmed it had notified several airlines — Malaysia Airlines; Finnair; Singapore Airlines; and Jeju Air, an airline in South Korea — which have already made statements about the breach, but declined to name other affected airlines.
In an email to affected customers seen by TechCrunch, Singapore Airlines said it was not a customer of SITA’s Horizon passenger service system but that about half a million frequent flyer members had their membership number and tier status compromised. The airline said that the transfer of this kind of data is “necessary to enable verification of the membership tier status, and to accord to member airlines’ customers the relevant benefits while traveling.”
The airline said passenger itineraries, reservations, ticketing, and passport data were not affected.
SITA is one of a handful of companies in the aviation market providing passenger ticketing and reservation systems to airlines, alongside Sabre and Amadeus.
Sabre reported a major data breach in mid-2017 affecting its hotel reservation system, after hackers scraped over a million customer credit cards. The U.S.-based company agreed in December to a $2.4 million settlement and to make changes to its cybersecurity policies following the breach.
In 2019, a security researcher found a vulnerability in Amadeus’ passenger booking system, used by Air France, British Airways, and Qantas among others, which made it easy to alter or access traveler records.