What we know about the data breach targeting frequent flyer info

Mar 5, 2021

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

A “highly sophisticated” cyber attack targeting frequent flyer data has affected at least 11 airlines around the globe, including U.S. carriers American and United. The Feb. 24 incident targeted SITA, a technology provider that helps process communications and passenger information across numerous carriers.

Fortunately for customers, the hackers were not successful in stealing critical information like customer passwords or credit card information, according to both SITA and the affected airlines. Instead, the breach appears to have been limited to data such as frequent flyer account numbers and status levels.

“We recognize that the COVID-19 pandemic has raised concerns about security threats, and, at the same time, cyber-criminals have become more sophisticated and active,” SITA said in a Friday statement acknowledging the incident, which it said “remains under continued investigation.”

Want more airline-specific news? Sign up for TPG’s free new biweekly Aviation newsletter!

“This was a highly sophisticated attack,” the company added.

Affected airlines also have begun reaching out to customers. Despite early reports that the breach may have affected only carriers of the Star Alliance frequent flyer group, other airlines have also been exposed.

In the U.S., both United and American had started emailing customers on Friday afternoon.

“It’s our understanding that the only information potentially accessed were customer names, MileagePlus numbers and Star Alliance statuses (Silver or Gold),” United said in an email to its members. “Importantly, no other personal information or passwords were exposed that would allow anyone to access your MileagePlus account.”

American sent out a similar email to customers.

Cyber secure: How to protect yourself against reward program data breaches

Neither are customers of SITA’s passenger service system, though their frequent-flyer information seems to have been exposed via partners that are. The system can, among other things, allow airlines to share tier status information with each other so that airlines can offer elite benefits to eligible customers of their partners.

At least nine other carriers were affected, according to media reports and emails sent by carriers. They include Cathay Pacific, Finnair, Japan Airlines, Jeju Air of Korea, Lufthansa, Malaysia Airlines, SAS and Singapore Airlines. Delta Air Lines told TPG that it had no indication it was exposed to the breach.

Still, Skift estimates that “more than two million travelers enrolled in the frequent flier programs (of the affected) airlines had some of their data hacked.”

While SITA and the airlines say no sensitive information was taken, some carriers suggested customers could change their passwords “out of an abundance of caution.”

Featured photo by Johner Images/Getty Images

Chase Sapphire Preferred® Card

WELCOME OFFER: 80,000 Points

TPG'S BONUS VALUATION*: $1,650

CARD HIGHLIGHTS: 2X points on all travel and dining, points transferrable to over a dozen travel partners

*Bonus value is an estimated value calculated by TPG and not the card issuer. View our latest valuations here.

Apply Now
More Things to Know
  • Earn 80,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $1,000 when you redeem through Chase Ultimate Rewards®. Plus earn up to $50 in statement credits towards grocery store purchases within your first year of account opening.
  • Earn 2X points on dining including eligible delivery services, takeout and dining out and travel. Plus, earn 1 point per dollar spent on all other purchases.
  • Get 25% more value when you redeem for airfare, hotels, car rentals and cruises through Chase Ultimate Rewards®. For example, 80,000 points are worth $1,000 toward travel.
  • With Pay Yourself Back℠, your points are worth 25% more during the current offer when you redeem them for statement credits against existing purchases in select, rotating categories.
  • Get unlimited deliveries with a $0 delivery fee and reduced service fees on eligible orders over $12 for a minimum of one year with DashPass, DoorDash's subscription service. Activate by 12/31/21.
  • Count on Trip Cancellation/Interruption Insurance, Auto Rental Collision Damage Waiver, Lost Luggage Insurance and more.
  • Get up to $60 back on an eligible Peloton Digital or All-Access Membership through 12/31/2021, and get full access to their workout library through the Peloton app, including cardio, running, strength, yoga, and more. Take classes using a phone, tablet, or TV. No fitness equipment is required.
Regular APR
15.99%-22.99% Variable
Annual Fee
$95
Balance Transfer Fee
Either $5 or 5% of the amount of each transfer, whichever is greater.
Recommended Credit
Excellent/Good

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.