Just days after Malaysia Airlines disclosed a “data security incident” and subsequent breach of frequent flyer members’ information, Singapore Airlines has warned its own frequent flyer members of a third-party breach affecting up to 580,000 people.
Singapore Airlines said in a statement published late on 4 March that it had been informed by air transport communications and information technology provider SITA of a data security breach involving its Passenger Service System (SITA PSS) servers.
Although Singapore Airlines is not a direct customer of the SITA PSS, the breach of the SITA PSS server has affected some of its KrisFlyer and PPS members. This was due to the use of the SITA systems by a fellow Star Alliance member.
“All Star Alliance member airlines provide a restricted set of frequent flyer program data to the alliance, which is then sent on to other member airlines to reside in their respective passenger service systems,” Singapore Airlines said. “This data transfer is necessary to enable verification of the membership tier status, and to accord to member airlines’ customers the relevant benefits while travelling.
“One of the Star Alliance member airlines is a SITA PSS customer. As a result, SITA has access to the restricted set of frequent flyer program data for all 26 Star Alliance member airlines including Singapore Airlines,” the provider said.
According to the airline, around 580,000 KrisFlyer and PPS members have been affected by the breach of the SITA PSS servers.
SITA confirmed on 4 March that it was the victim of a cyber attack, leading to a data security incident involving certain passenger data that was stored on its SITA Passenger Service System.
"After confirmation of the seriousness of the data security incident on February 24, 2021, SITA took immediate action to contact affected SITA PSS customers and all related organisations," the company said in a statement.
"SITA acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by SITA’s Security Incident Response Team with the support of leading external experts in cyber-security," it added.
For its part, Singapore Airlines claimed that the information involved in the breach was limited to loyalty program membership number and tier status and, in some cases, membership name. The company said that this information is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer.
Singapore Airlines stressed that the data breach does not involve KrisFlyer and PPS member passwords, credit card information, or other customer data such as itineraries, reservations, ticketing, passport numbers and email addresses – this information is not shared with other Star Alliance member airlines.
“We would also like to reassure all customers that none of [Singapore Airlines’] IT systems have been affected by this incident,” the company said. “We are proactively reaching out to all KrisFlyer and PPS members to inform them about this incident.
“The protection of our customers’ personal data is of utmost importance to Singapore Airlines, and we sincerely regret the incident and apologise for the inconvenience caused.
“We will work with our partners to review the current procedures and will take all necessary steps to improve data security,” it added.