Data of 580,000 Singapore Airlines’ (SIA) frequent flyer members have reportedly been compromised in a cybersecurity attack that has hit air transport communications and IT vendor, SITA.
In a statement on Thursday (4 Mar), SIA said it has shared a “restricted” set of frequent flyer programme data as a member of the Star Alliance group, even though the airline is not a customer of SITA.
This is necessary to facilitate verification of membership tier status and to accord to member airlines’ customers the relevant benefits while they travelled, said SIA.
“While SIA is not a customer of the SITA PSS, this breach of the SITA PSS server has affected some KrisFlyer and PPS members,” it noted.
It was said that one member of Star Alliance had used the SITA system, resulting in SITA getting access to the restricted set of frequent flyer programme data for all 26 Star Alliance member airlines including SIA.
SIA noted that the affected SIA customers were members of its KrisFlyers and higher-tier PPS frequent flyer programme.
The compromised data was “limited” to the membership number and tier status and, in some cases, membership name, given the full extent of the frequent flyer data that SIA shares with other Star Alliance member airlines for this data transfer, it added.
“Specifically, this data breach does not involve KrisFlyer and PPS member passwords, credit card information, and other customer data such as itineraries, reservations, ticketing, passport numbers, and email addresses.
“We would also like to reassure all customers that none of SIA’s IT systems have been affected by this incident,” said the national carrier.
Separately, SITA released a statement on its website to clarify that it was the “victim of a cyber-attack” which led to the data security incident.
SITA said it has taken immediate action to contact affected SITA PSS customers and all related organisations, after it received confirmation of “the seriousness” of the data security incident on 24 February.
“We recognize that the COVID-19 pandemic has raised concerns about security threats, and, at the same time, cyber-criminals have become more sophisticated and active. This was a highly sophisticated attack.
“SITA acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by SITA’s Security Incident Response Team with the support of leading external experts in cyber-security,” it added.
Responding to ZDNet’s query, a SITA spokesperson noted that several airlines – including Jeju Air, Finnair, and Malaysia Airlines – had reached out to their customers and made public statements confirming they were affected by the data breach, which seems to suggest that SITA was likely involved in a breach that affected Malaysia Airlines’ Enrich frequent flyer members.
SIA potentially face penalties under PDPA
Last November, Communications and Information Minister S Iswaran announced in Parliament the amendment to the Personal Data Protection Act (PDPA), which will give heavier penalties to data breaches while allowing organisations to use data without consent.
Under the amended PDPA, companies can be fined up to 10 per cent of their annual turnover in Singapore for a data breach. The maximum fine was previously S$1 million.
The amended PDPA also makes it compulsory for organisations to report breaches of a certain scale and severity to the Personal Data Protection Commission (PDPC), said Mr Iswaran.
Even so, he noted that under the PDPA’s “exceptions to the consent requirement”, organisations can now collect, use or disclose personal data without consent for “legitimate interests”, business improvement and broader research and development.
This includes using personal data to prevent fraud, improve products or conduct market research to understand potential customer segments, while current consent exceptions include helping in investigations and emergencies.
Additionally, companies will be allowed to share data with different contractors under “deemed consent”, as well as consent by notification.
Mr Iswaran said there would be safeguards in allowing the use of data under deemed consent, such that clear limits on how the data can be used and getting organisations to conduct a risk assessment to ensure that individuals are not adversely affected by the purpose.
“For all other purposes, organisations have to obtain consent from the individual,” said the Minister, adding that organisations would still need to get express consent from individuals when sending direct marketing messages.