A massive cybersecurity attack targeting the data processor of Air India’s passenger service system has leaked the personal information of lakhs of passengers, the airline said on Friday.

The data breach has affected around 45 lakh customers registered between August 26, 2011 and February 2, 2021 across the world. The data that have been compromised include names, credit card details, date of birth, contact information and ticket details. The airline clarified that no passwords or CVV/CVC numbers were leaked.

The attack targeted Geneva-based passenger system operator SITA that serves the Star Alliance of airlines including Air India, Singapore Airlines, Lufthansa and United.

“SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers,” Air India said in an email to customers. “This incident affected around 4,500,000 data subjects in the world.”

Air India said it was first notified about the data breach on February 25. “We would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25.03.2021 and 5.04.2021,” it added.

However, SITA had publicly announced the incident in March. Different airlines, including Singapore Airlines and Malaysia Airlines, had at that time informed passengers that some of their data was leaked.

Air India said it had launched an investigation into the incident and took steps like securing the compromised servers, getting external data security specialists on board and resetting passwords. “While we and our data processor continue to take remedial actions...We would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data,” it added.