Several readers have sent heise Security a letter from the Miles–More-Servicetam of Lufthansa submitted. This discloses a successful attack against the service provider Sita. The unknown attackers had access to personal data of passengers.
Sita has the Star Alliance as a customer, which includes Air Canada, Lufthansa and United Airlines, for example. The service provider takes care of passenger and luggage management worldwide, among other things. Accordingly, Sita’s servers contain customer data from airline passengers.
What personal data is affected?
In an official statement, the service provider says it reported the security incident on 24. February 2021 to have confirmed. He ares to have informed affected partners immediately. It is currently not known how many customers are actually affected. It is also not clear from the statement which data the unknown attackers had access to. Sita speaks of a "highly sophisticated attack". More information about the attack is not available at the moment.
The letter from Lufthansa at least sheds some light on the matter. Accordingly, in the case of this airline, only information about the service card number, the status level and partly the name was copied. Email addresses, passwords or other personal data are not to be among them.
Sita points out that it does not answer inquiries from affected customers regarding data protection. They refer victims to their respective carriers. At present, the service provider is still working through the incident, according to its own statements.