At least 4.5 million people had their personal data exposed after an IT system used by Air India was subjected to a “sophisticated cyber attack”.
The airline was first notified of the breach in February, but only disclosed its involvement in the past week.
Details including names, passport information and payment details stretching back 10 years were accessed by the cybercriminals.
However, CVV/CVC numbers and passwords were not accessed, according to a statement.
The compromised software was operated by SITA Passenger Service System according to Air India.
SITA put out a statement acknowledging the hack at the beginning of March, but did not specify how many people were affected or which airlines had fallen prey.
Other major carriers were also affected, including Star Alliance members Singapore Airlines, New Zealand Air and Lufthansa.
Air India said that the incident “affected around 4,500,000 data subjects in the world” but did not specify how many were their customers.
The hackers managed to get their hands on data from 26 August 2011 to 3 February 2021.
The airline’s statement said: “Air India would like to inform its valued customers that its Passenger Service System (PSS) provider has informed about a sophisticated cyber attack it was subjected to in the last week of February 2021.
“While the level and scope of sophistication is being ascertained through forensic analysis and the exercise is ongoing, the service provider has confirmed that post incident, no unauthorised activity inside the PSS infrastructure has been detected.”
A second press release added that, after the notification of the hack, the steps taken included: “Investigating the data security incident, securing the compromised servers, engaging external specialists of data security incidents, notifying and liaising with the credit card issuers and resetting passwords of Air India Frequent Flyer Program.”
It added: “Further, our data processor has ensured that no abnormal activity was observed after securing the compromised servers.
“While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data.”