Data leaked? Change password

Victims of cyberattacks such as the one reported on Air India last week should quickly change their passwords, experts say.

Data relating to 45 lakh customers who travelled with Air India between 2011 and 2021 could now be in the hands of hackers.

Arindrajit Basu, research lead at the Centre for Internet and Society, Bengaluru, says airlines use third-party companies to manage their data. “As companies outsource, process, gather or store data through third parties, audit is important,” he says.

Air India says CVV and CVC details of customers’ cards have not been stolen. “This implies minimal probability of financial loss. However, the biggest concern is that personal details are out in the open,” Basu says.

He advises customers to go back to the airline website and change their passwords. “Regular changing of passwords is ideal, as cyberattacks don’t happen in one stage,” he explains.

When a ticket is booked for an individual by another, by a travel agent or relative, the data of both could be compromised. “It is ideal for both parties to change passwords,” he says.

Maintain hygiene

Shivani Singh, operations and digital security manager at Internet Freedom, suggests a ‘digital security hygiene schedule’ for all.

“Whenever a massive data leak like this happens, the information is mostly first leaked on the dark web. Hackers use Personally Identifiable Information (PII) like birth dates and email IDs to try to gain access into other associated accounts,” she says.

A different password doesn’t mean the same password with capitals or same combinations in a different sequence. “It should be entirely different from your existing one,” she adds.

Complex passwords and passphrases make a difference, says Shivani. “You can’t fight big tech and malicious actors with passwords like ABC123. For each app and service, create a unique password,” she says.

She recently launched a free newsletter called Cybersec Charcha to talk about developments in cyber security. Clearing cookies and cache frequently helps. “Update all your apps and browsers, as every update comes with security patches,” she says.

Kiran Jonnalagadda, co-founder of software company @hasgeek, says non-expiring IDs like Aadhaar come with their own risks. “It is always better to use a driving licence or passport since they have an expiry date,” he says.

In case of data breach on a site connected to a service such as Google or Facebook, go to its account settings and disconnect it, he says.

Safety first

Create strong passwords.

Change them every three months.

Use a password manager across all your services (apps, email, social media accounts etc).

Don’t save personal details on any website, if optional.

Security loopholes

The airline industry works with a lot of personal information, including birth dates, names of spouses, passport numbers and itineraries. Despite the threats being transnational, there hasn’t been much of a consensus on laws and enforcement, say data experts. If any harm comes from a data breach, registering a complaint with the police is the way, says Arindrajit Basu of the Centre for Internet and Society. The IT Act says each Indian state must have a cyber cell. “Some have effective ones and others are still building that capacity. There is no centralised cyber authority to deal with consumer grievances operational yet,” he says.

Central agency

Social technologist Kiran Jonnalagadda is concerned the government has been lax in passing a data protection law. “The correct authority to complain to is Indian Computer Emergency Response Team. Affected individuals should file complaints with them, although they may not respond,” he says.

Where to complain

Bengaluru Cyber Police Station:

Central: Ulsoor - 2294 2087

East - Shivajinagar- 2294 2595

West - Basaveshwarangar - 2294 2516

South - Banashankari - 2294 2474

South East - HSR Layout - 2294 3467

North - Yeshwanthpur - 2294 2302

North East - Yelahanka - 2856 2004

Whitefield - 99865 15620

Indian Computer Emergency Response Team, Delhi

Call 011 24368572 or
email incident@cert-in.org.in

Air India says

Air India says it has taken quick data security measures— investigating the incident, securing the compromised servers, engaging external specialists, and notifying and liaising with the credit card issuers.

In a statement, it said its data processor has observed no abnormal activity after the compromised servers were secured. When Metrolife called up the airline, an official said no additional information was available at this stage.

(With inputs from Asra Mavad)