After Singtel, now SIA suffers major data leak

Singapore’s flag carrier airline has been affected by a data leak, just weeks after the city-state’s largest mobile network operator Singtel said customer data including names, addresses and phone numbers had been stolen by a group of hackers.

The Straits Times daily yesterday reported that some 580,000 Singapore Airlines (SIA) customers have had their data compromised by a leak from an external air transport IT company.

SIA said in a statement that the leak involved members of its KrisFlyer and PPS programmes.

The leaked data included membership numbers, tier status and, in some cases, membership names although the airline assured that no passwords, credit card information, intineraries, passport numbers or email addresses were compromised.

According to SIA, the breach came from air transport IT firm Sita which said in a separate statement that it had been hit by a “highly sophisticated cyberattack”.

SIA said it is not a member of Sita’s passenger service system, but that it had given a set of frequent flier programme data to other member airlines in the Star Alliance group, one of which had passed it to Sita, the Straits Times reported.

It said this data was needed for verification of membership tier status and to provide the relevent benefits to customers of member airlines while travelling.

“The protection of our customers’ personal data is of utmost importance to Singapore Airlines, and we sincerely regret the incident and apologise for the inconvenience caused,” it said.

It also assured that it is not possible for customers’ confidential data to be accessed with only the leaked data.

“If someone calls our contact centres, additional secure information will be needed to clear the verification process before he or she can perform a transaction or access the data,” a spokesman was quoted as saying.

In the earlier Singtel data breach, the personal data of some 129,000 of customers was stolen by a group of hackers known as the Clop gang.

Bank details of 28 former Singtel employees were also stolen, as well as the credit card details of employees of a corporate customer which subscribes to Singtel’s mobile service, along with information from 23 companies.

The Straits Times said the gang later leaked over 11GB of data, putting some of it up for sale on the dark web in exchange for S$250,000 worth of bitcoin.

The leak took place after the hackers breached Accellion, a file transfer software used by Singtel which was found to have been compromised in January.