580k members’ data leaked from Singapore Airlines’s KrisFlyer programme

SITA, an air transport information technology company, informed Singapore Airlines (SIA) of a data security breach involving their SITA Passenger Service System (US) Inc. (SITA PSS) servers yesterday, according to a statement by the airline. While SIA is not a customer of the SITA PSS, this breach of the SITA PSS server has affected some KrisFlyer and PPS members.

“All Star Alliance member airlines provide a restricted set of frequent flyer programme data to the alliance, which is then sent on to other member airlines to reside in their respective passenger service systems. This data transfer is necessary to enable verification of the membership tier status, and to accord to member airlines’ customers the relevant benefits while travelling,” said the statement.

One of the Star Alliance member airlines is a SITA PSS customer. As a result, SITA has access to the restricted set of frequent flyer programme data for all 26 Star Alliance member airlines including Singapore Airlines.

According to SITA, after confirmation of the seriousness of the data security incident on February 24, 2021, it took immediate action to contact affected SITA PSS customers and all related organizations. The attack was “highly sophisticated” said SITA, and the matter remains under continued investigation by SITA’s Security Incident Response Team with the support of external experts in cyber-security.

Around 580,000 KrisFlyer and PPS members have been affected by the breach of the SITA PSS servers, it was revealed. “The information involved is limited to the membership number and tier status and, in some cases, membership name, as this is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer,” said SIA.

“Specifically, this data breach does not involve KrisFlyer and PPS member passwords, credit card information, and other customer data such as itineraries, reservations, ticketing, passport numbers, and email addresses as SIA does not share this information with other Star Alliance member airlines for this data transfer.”

Boris Cipot, Senior Security Engineer, Synopsys Software Integrity Group, suggested that the broad scope of the attack is concerning. “A lesson which organisations can take away from this scenario is to create security rules and procedures, not only for internal stakeholders but also for their partners in the supply chain. This means taking the software and service provider processes into consideration when discussing a partnership and defining what security measures will be implemented,” he said.

The airline has reassured all customers that none of SIA’s IT systems have been affected by this incident. It said that it is “proactively reaching out to all KrisFlyer and PPS members to inform them about this incident.” It also tendered an apology to the customers in the media statement.

SITA, meanwhile, said: “If you are the customer of an airline and have a Data Subject Access Request in relation to the handling of your personal data, this request must be made directly to that airline in accordance with GDPR and data protection legislation.”

Sanjay Aurora, Managing Director of APAC at Darktrace, said that “Supply chain attacks have surged at an alarming rate in recent months – from the SolarWinds Orion campaign to the recent attack on Centreon software, we’re seeing that third-party software is an attractive place for attackers to plant themselves and sneak inside their targets.”

“Complex global supply chains offer those with criminal intent many points of vulnerability that may be tested in the pursuit of compromising systems. These attacks are virtually impossible to detect with standard security tools and procedures because the malicious software is packaged as legitimate, within your own laptop or software you have typically relied on, and delivered into the heart of your organisation by trusted suppliers. The challenge that businesses must face urgently is not an audit of all their suppliers but how to manage the pervasive risk that suppliers from all over the world bring,” he commented.