News & AnalysisNewsletterSecurity

Why Air India Breach is an Eye-Opener for Every CISO


The cybersecurity vulnerability within the Indian tech ecosystem is growing wider and more apparent by the day. Three months after air transport data major SITA reported a data breach, Air India said last week that personal data of about 4.5 million passengers had been compromised following the incident at SITA. The stolen information included passengers’ names, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, Air India said in a statement.

Air India said that CVV data of credit cards were not held by SITA, as it urged passengers to change passwords “wherever applicable to ensure safety of their personal data.” The attack compromised data of passengers who had registered with the Indian airline over the past decade, between August 26, 2011 and February 3, 2021, the statement said.

The revelation comes months after SITA said it had suffered a data breach that involved passenger data. At the time, SITA said it had notified several airlines — Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa — of the breach.

While the investigation is still on, Air India said that it was first notified about the cyberattack by SITA on February 25, but the nature of the data was only provided to it on March 25 and April 5.

The struggling airline, which is surviving on taxpayer money, claimed that it had investigated the security incident, secured the compromised servers, engaged with unnamed external specialists, notified the credit card issuers, and had reset passwords of its frequent flyer program.

While Air India is the latest Indian firm to disclose a data breach in recent quarters, payments company MobiKwik said in late March that it was investigating claims of a data breach that allegedly exposed private information of nearly 100 million users. BigBasket data allegedly leaked on dark web, database claimed to include details of over 20 million users as reported in late April.

A security lapse occurred at Indian telecom giant Jio Platforms exposed results of some users who had used its tool to check their coronavirus symptoms. Bengal-based blood test firm Dr. Lal PathLabs also reportedly suffered similar breaches. More recently, data belonging to around 180 million users who ordered food from Dominos India was leaked online and is now available for sale.

While the nature and intensity of these attacks may differ, the lesson from such breaches as Sonit Jain, CEO of GajShield Infotech observed, “While organization spend a lot of effort securing their enterprise network, risk assessment of partner networks is rarely done, leaving a big gap open to be compromised. As attackers start mapping supply chain providers of an organization, we will see an increase in the number of such attacks. Lack of visibility and control will leave a blind spot ready to be used.”

“Cyber defenses now need to be extended beyond an organization’s network and cover their partner network, processes, and employees too,” he said.

According to a recent study by Infosys-Interbrand, the potential risk in brand value of data breach to the world’s 100 most valuable brands could amount to as much as $223 billion.

A data breach, irrespective of the modus operandi, has grown many folds in India. As far as the cybersecurity market in India is concerned, a joint study by PwC India and DSCI expects the market to grow from $1.97 billion in 2019 to $3.05 billion by 2022, at a compound annual growth rate (CAGR) of 15.3%. However, the disturbing trend in India has been firms’ failure to acknowledge that a breach has happened, which then makes individual users wonder if their data is safe at all.

Indeed, there are challenges ahead. According to Kaspersky’s telemetry, when the world went into lockdown in March 2020, the total number of bruteforce attacks against remote desktop protocol (RDP) jumped from 93.1 million worldwide in February 2020 to 277.4 million 2020 in March—a 197 per cent increase. The numbers in India went from 1.3 million in February 2020 to 3.3 million in March 2020. From April 2020 onward, monthly attacks never dipped below 300 million, and they reached a new high of 409 million attacks worldwide in November 2020. In July 2020, India recorded its highest number of attacks at 4.5 million.

In February 2021—nearly one year from the start of the pandemic—there were 377.5 million brute-force attacks—a far cry from the 93.1 million witnessed at the beginning of 2020. India alone witnessed 9.04 million attacks in February 2021. The total number of attacks recorded in India during Jan & Feb 2021 was around 15 million.

 Dipesh Kaura, General Manager, Kaspersky (South Asia) believes that India has seen numerous instances of organizations becoming a victim of a data breach incident in recent times. Businesses who are a victim of a data breach today not only are responsible to protect their consumer’s data, but also prevent it from being misused by the cyber criminals as an aftermath of a data breach.”

Emphasizing that human beings are the weakest links in the cybersecurity ecosystem, Kaura said, “It obviously becomes essential for enterprises to regularly train their non-IT staff and create an awareness in order to protect their consumer’s data from being exposed in a data breach incident due to threats like phishing, malware and brute force attacks. Regular system updates and proactive disclosure of such incidents also help businesses in creating a stronger strategy to fight against data breaches.”

Anu Laitila, Cybersecurity Awareness Business Manager at Nixu agreed that over one-third of all cyber-attacks involve internal actors, and over third included social engineering. Many breaches result from inadequate security hygiene and a lack of attention to detail. Social engineering is getting more and more sophisticated and, therefore effective. Organizations of all sizes should pay attention to human error and cybersecurity training. But she observes that most companies do not train their employees on security matters enough.”

Laitila believes in building security awareness campaigns can include lectures, exercises, games, blogs, or any kind of engaging content. The trigger can be anything that will help people to remember security actions.

A report by Jigsaw Academy too echoed similar sentiments. It states that with India’s highly skilled IT workforce, efforts must be harnessed and redirected towards strategic use by the government. Incentives provided by the government to the industry would encourage investment from the private sector towards an agency focused on national cybersecurity.

With strengthened cybersecurity defenses in India’s future, Indian businesses will become more competitive on a global level and create a secure organization and a safer digital India. Needless to say then, with the Air India breach and other similar incidents every CIO/CISO needs to wake up and smell the coffee.

Leave a Response

Sohini Bagchi
Sohini Bagchi is Editor at CXOToday, a published author and a storyteller. She can be reached at