A cyber attack on Air India’s data processing systems resulted in a breach that compromised the personal data of about 4.5 million passengers.
Data registered between August 26, 2011, and February 3, 2021, was compromised during the cyber attack, Air India, a Star Alliance member, said in a statement on its website.
The breach affected personal data such as name, contact, passport, ticket and credit card details.
However, payment information is not at risk as credit card security codes are not held by Sita PSS, the airline's data processing company.
The airline first reported the breach in March and revealed that it had been notified of the cyber attack by its data processing company on February 25.
Sita PSS, which provides information technology services to the aviation industry, said in a March statement that it was the "victim" of "a highly sophisticated attack".
Air India has since launched an investigation and taken steps to secure compromised servers.
It has also hired external data security specialists, notified and liaised with the credit card issuers and reset Air India frequent flyer programme passwords.
“Our data processor has ensured that no abnormal activity was observed after securing the compromised servers,” the airline said.
“While we and our data processor continue to take remedial actions ... we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data.”
Air India did not reveal the identity of who was behind the attack.
“The protection of our customers’ personal data is of the highest importance to us and we deeply regret the inconvenience caused,” the airline said.
The data breach is a further blow for debt-laden Air India as it tries to cut costs while the Indian government tries to sell its stake in the carrier.
Other airlines have suffered cyber attacks in the past. Budget operator easyJet said last year that hackers had taken the email and travel details of about nine million customers.