Air India data breach: Login ids, passwords of airline's B2B customers compromised

Days after Akasa Air’s data breach incident, now Air India’s data has also been compromised. The airline has sent emails to its B2B customers stating the compromise of login user IDs and passwords of a limited number of B2B clients. This data compromise happened at Air India GST portal which is provided by Accelya Solutions Ltd.

The compromised user IDs and passwords have been used by an unauthorised party to access their GST invoices and publish them in the public domain stating the email was issued by the company.

The email accessed by Business Today also stated that having noticed this incident, Air India has taken immediate steps with the service provider to change the access credentials of all user IDs for the GST portal.

Responding to Business Today’s query, an Air India spokesperson said  “An outsourced external agency has experienced data breach of their systems, which compromised some information regarding Air India’s agents. We would like to state that no data related to any passenger or customer of Air India has been affected by this breach at the external agency's end."

The spokesperson further said: "Air India has taken immediate action and reached out to all the B2B clients besides alerting the external agency to take corrective measures. Action on resetting of passwords has already been taken and a 2-factor password authentication has already been implemented. Air India has pulled out all stops to ensure that corrective and preventive measures are strictly adhered to by this external agency to mitigate any such breach in future.”

It is not the first time that Air India’s data has been compromised. There were reports in February 2021, that stated hackers stole the personal data of 4.5 million Air India passengers.

Given the rising incidents of data breach incidents in the country, the Indian government is trying to tighten the norms with the new cybersecurity directive issued recently which mandates all companies to report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. This stringent guideline is significantly shorter in comparison to that in the EU, where data breach incidents have to be reported within 72 hours.