Data has leaked from air transport communication and IT company Sita following a cyber-attack  on its US-based Passenger Service System (PSS) which operates passenger processing systems for airlines.

Frequent flyer information appears to have been the hackers’ main target. Singapore Airlines says about 580,000 customers have been affected, Finnair about 200,000, and Air New Zealand said “only a small subset” of customers have been impacted.

After confirmation of the seriousness of the data security incident on 24 February, Sita took immediate action to contact affected PSS customers and all related organisations, the company said in a 4 March statement.

“Sita acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by Sita’s security incident response team with the support of leading external experts in cyber-security,” it added.

“We recognise that the Covid-19 pandemic has raised concerns about security threats, and, at the same time, cyber-criminals have become more sophisticated and active. This was a highly sophisticated attack,” it said.

The company advised passengers concerned about the handling of their personal data to contact the airline they flew with because Sita is unable to respond directly to such requests.

The air industry service company has more than 2,500 clients, is present in over 1,000 airports and claims to cover more than 90% of international destinations.

Local media reported Singapore Airlines as saying members of its KrisFlyer and PPS programmes have had their membership number, tier status and, in some cases, membership name compromised.

The data breach did not involve members’ passwords, credit card information, passport numbers or email addresses, nor details of their itineraries, reservations and ticketing.

Finnair has advised Finnair Plus members to change their password to the frequent flyer programme. The airline has also reported the breach to Finland’s Data Protection Authority. The information taken included names, customer numbers, and meal and seating requests.

More sensitive data such as contact information, payment card details and passwords were not compromised.

Air New Zealand said the data affected is limited to name, tier status and membership number of Airpoints’ flyers. Passwords, credit card information, itineraries, reservations, ticketing, passport numbers, email addresses and other contact information were not leaked.

PrivSec Global, a live streaming event, takes place on 23-25 March featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.