Do You Know Where Your Frequent Flier Miles Are? The Big, Bad SITA Breach

March 24, 2021 | rjmcgarvey | Consumer affairs, InfoSec, Travel

By Robert McGarvey

Word of warning: be sure to check and keep checking your many airline miles, at every carrier, because they just may be in the hands of cyber crooks.

Another big travel related data beach is why.

The victim is a company called SITA and if you haven’t heard of it, join the club.  But SITA is a big data processor for many carriers and in a March 4th release it said: “SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers. Passenger Service System (US) Inc. (‘SITA PSS’) operates passenger processing systems for airlines.”

My favorite sentence in this otherwise uninformative statement is this: “This was a highly sophisticated attack.”

Trust me: you will never see a breach announcement that says, “The attack was the kind dreamed up by especially dumb 8th graders.”  Nope.  The attackers always are arch criminals and card carrying Mensa members.

Right.

But this SITA attack, the little we know about it even a month later, is ugly business especially for those of us who covet and collect airline miles.

On which carriers? Damn near all. Some 90% of the planet’s air carriers are said to use SITA.  The company handles many reservations and ticketing. 

Other than saying there was a serious “data security incident” on February 24 the company tells us bupkis. Company spokesperson Edna Ayme-Yahil told TechCrunch zip, for instance.

Travel Weekly got a little bit more info: “In a statement, SITA spokeswoman Edna Ayme-Yahil declined to say how many airlines have been impacted by the breach. The company also didn’t provide many details on the type of data compromised, but it did note that the data includes some personal data of airline customers, including frequent flyer account data.”

Ayme-Yahil also told Travel Weekly: “Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories.”

That mum’s the word posture is the norm in breaches but it is maddeningly unhelpful to possible victims who have no idea what was stolen, if the theft in fact impacts their data and what, if anything, they should do about it.

But various SITA customers – among them: United and American airlines – have been sounding alarms with a particular focus on loyalty programs.

United specifically said some customer Star Alliance data was affected, but it stressed that MileagePlus data were not touched.

American said it did not use SITA but some frequent flier data passed through the system so that loyalty points accrued on other carriers could be accounted.

Lufthansa, meantime, said 1.35 million Miles and More members were impacted.

Singapore Air has said the breach may have affected as many as 580,000 people in its loyalty programs.

Even FinnAir says 200,000 of its loyalty members were impacted.

Skift summed up the carnage: “More than two million travelers enrolled in the frequent flier programs of at least ten airlines had some of their data hacked, according to messages they received recently from the carriers.”

That’s a punch in the face.

Even worse is that we don’t really know what data was lifted.

The still worse news is that it is on you to protect yourself and we simply must proceed as though the hackers got away with our account numbers and log in info – precisely what they would need to steal the miles and sell them on the dark web or convert them into easily sold goods (iPhones are extraordinarily popular).  

The worst news is that, sigh, there is nothing different now: our loyalty programs are and have been easy pickings for criminals.  I wrote about an American breach in 2015, ditto a United breach.  I could have written the same story many more times but why bother when there is nothing new to say?

I wrote about the Sita breach- after waiting almost a month in the vain hope for more info – simply because of its breadth (just about every carrier you and I use is involved) which is inversely proportional to how much we know about it, which is a teaspoonful of worrisome uncertainties.

Protect yourself, don’t trust the carriers.  That is the bottomline.

Leave a Reply

Your email address will not be published. Required fields are marked *