About 580,000 SIA KrisFlyer and PPS members affected by external data leak

Members of SIA's KrisFlyer and PPS programme had their membership number, tier status, and in some cases membership name compromised, said the airline.
Members of SIA's KrisFlyer and PPS programme had their membership number, tier status, and in some cases membership name compromised, said the airline.PHOTO: LIANHE WANBAO

SINGAPORE - About 580,000 Singapore Airlines' (SIA) customers have been affected by a data leak from an external air transport information technology company.

SIA said in a statement on Thursday evening (March 4) that members of its KrisFlyer and PPS programmes have had their membership number, tier status and, in some cases, membership name compromised.

But it added that the data breach did not involve the members' passwords or credit card information. It also did not involve other customer data such as itineraries, reservations, ticketing, passport numbers and e-mail addresses.

A spokesman said: "It is not possible for someone to access any confidential customer data or their miles with only (the leaked information). 

"If someone calls our contact centres, additional secure information will be needed to clear the verification process before he or she can perform a transaction or access the data."

SIA said the data breach originated from air transport information technology firm Sita, whose passenger service system servers were compromised.

The carrier said it is not a customer of Sita's passenger service system. But all members of the Star Alliance provide a set of frequent flier programme data to the alliance. One of the group's 26 member airlines is a Sita customer, which resulted in Sita getting access to the limited set of data from all of other airlines.

SIA said: "All Star Alliance member airlines provide a restricted set of frequent flier programme data to the alliance, which is then sent on to other member airlines to reside in their respective passenger service systems.

"This data transfer is necessary to enable verification of the membership tier status, and to accord to member airlines' customers the relevant benefits while travelling."

SIA added that none of its IT systems has been affected by this incident.

It is contacting affected customers to inform them about the incident. Those who are not affected will be updated as well. 

"The protection of our customers' personal data is of utmost importance to Singapore Airlines, and we sincerely regret the incident and apologise for the inconvenience caused," said SIA.

"We will work with our partners to review the current procedures, and will take all necessary steps to improve data security."

Sita said in a separate statement on Thursday that it had been hit by a highly-sophisticated cyber-attack. It said the attack resulted in a "data security incident"  involving certain passenger data that was stored on its passenger service system servers.

It had confirmed "the seriousness of the data security incident" on Feb 24. It then contacted affected customers and related organisations afterwards.

"The matter remains under continued investigation by Sita's Security Incident Response Team with the support of leading external experts in cyber-security," added Sita.