Airplane and remote control
Photographic illustration ©2015 by Brian Cohen.

Passenger Data Indeed Compromised by “Highly Sophisticated” Cyber Attack 2021

You may have never heard of Société Internationale de Télécommunications Aéronautiques; but the multinational information technology company provides information and telecommunication services to approximately 90 percent of the commercial aviation industry industry worldwide…

Passenger Data Indeed Compromised by “Highly Sophisticated” Cyber Attack 2021

…which means that it holds the sensitive data of passengers on its servers, which were compromised by “cyber-criminals” on Wednesday, February 24, 2021 — and the information pertaining to you may be among the breach.

The company — which was founded in February of 1949 and is better known by its acronym of SITA — is currently headquartered in Geneva; but its operations in the United States are located in Atlanta, which is where the data breach occurred.

This official statement was announced in a press release on Thursday, March 4, 2021 from SITA:

SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers. Passenger Service System (US) Inc. (“SITA PSS”) operates passenger processing systems for airlines.

After confirmation of the seriousness of the data security incident on February 24, 2021, SITA took immediate action to contact affected SITA PSS customers and all related organizations.

We recognize that the COVID-19 pandemic has raised concerns about security threats, and, at the same time, cyber-criminals have become more sophisticated and active. This was a highly sophisticated attack.

SITA acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by SITA’s Security Incident Response Team with the support of leading external experts in cyber-security.

If you are the customer of an airline and have a Data Subject Access Request in relation to the handling of your personal data, this request must be made directly to that airline in accordance with GDPR and data protection legislation. SITA is unable to respond directly to any such request.

The data breach may have affected greater than two million members of the frequent flier loyalty programs of at least twelve airlines who have since contacted their customers about the incident — including Air New Zealand, American Airlines, British Airways, Cathay Pacific, Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, SAS, Singapore Airlines, and United Airlines — and perhaps have affected the members of all airlines of both Star Alliance and the oneworld alliance.

Members of the Delta Air Lines SkyMiles frequent flier loyalty program may have also been affected by the data breach; but that report has been unconfirmed at the time this article was written.


That the full scope and extent of the compromised security incident is still yet to be known at the time this article was written is unacceptable and completely inexcusable. Exactly who did this data breach affect — and how much data was actually compromised?

Companies need to be increasingly more vigilant about protecting the sensitive data of their customers. Ironically, creating difficult hurdles for members of frequent travel loyalty programs to recover expired points seems to be significantly more important than pooling more resources and implementing more effective procedures in protecting the sensitive data of their customers.

Between the incidents involving Delta Air Lines, Hyatt Corporation, HiltonKimpton Hotels and Restaurants, British Airways, Marriott International, Incorporated, Facebook, Equifax, and other various companies in recent years, protecting your sensitive information has become almost impossible to do…

…and yet, few measures are in place to rectify the potentially disastrous results which could possibly occur from these data breaches — as though few corporations and government entities are unconcerned about confronting the seriousness of such breaches and attacks.

I am uncertain at this time as to what is the answer — but this trend simply cannot continue unchecked where customers are basically left out in the cold, in my opinion. Class-action lawsuits — through which attorneys line their pockets with plenty of cash and throw the poor consumer a virtually worthless coupon — are not the answer. Corporations simply need to be held significantly more accountable for the actions — or inactions — so that they have an incentive to better protect the sensitive information and data of their customers in the future instead of being perceived as having a cavalier attitude about sensitive data of its customers being compromised…

Photographic illustration ©2015 by Brian Cohen.

  1. As much as I would like to feel a sense off outrage, I also know that data forensics is incredibly complicated and knowing impact is perhaps the hardest thing to determine. In many cases databases and the systems that house them have become compromised so reconstructing them becomes part of the challenge and then without knowing exact vectors of attack/compromise – reverse engineering the attack can be equally complicated. I am not saying that there should not be responsibility but 2 weeks is not a lot of time to figure all this out.
    When I see comments like “That the full scope and extent of the compromised security incident is still yet to be known at the time this article was written is unacceptable and completely inexcusable. Exactly who did this data breach affect — and how much data was actually compromised?” It makes me realize how little is generally understood about the nature of data breaches, the work the goes into deconstructing them, and ultimately securing the resulting systems. There will be more here – I promise, but it will take time and ultimately patience. Just my thoughts here.

  2. While I understand Ben LeRoy’s comments to me I equate this with having my wallet stolen. I need to know if it was stolen or in lost and found immediately so I can cancel credit cards, get a new driver’s license, etc. With a data breach like this, I don’t know if they just stole my name, address, and phone number or if they have access to my payment methods, passport info, or what? Immediately. At least throw us a clue. I have an email from AA on this and they just suggest changing my password so is there nothing to worry about or is this a big deal.

    1. Yes, the email from AA stated that the breach “…involv[ed] a limited amount of AAdvantage loyalty data residing on SITA’s passenger service system (SITA PSS). Importantly, the incident did not result in the compromise of any AAdvantage account passwords or financial information that may be stored in your AAdvantage account…” and then later in the email “We have confirmed with SITA that your name, elite status, and AAdvantage number may have been affected by the incident.”

      So with regard to AA, the company does in fact know the data elements that were compromised and has shared it with us. Hopefully the other programs can do likewise ASAP.

  3. As Tarom told us passport numbers were accessed by this breach, is thee an action I should take assuming I was affected?

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.