On Sunday, an Air India flyer from Delhi sent a legal notice to the airline seeking compensation over the recent data leak of 45 lakh passengers. Ritika Handoo, a journalist from Delhi, sent the notice to the management of Air India seeking a compensation of Rs. 30 lakhs for the inclusion of her husband’s and her own personal details in the data leak. In her notice, she says that she was informed of the data leak by Air India on June 1st.
Post consultation with her lawyer, she has said that the data leak is a violation of her right to be forgotten and informational autonomy. This is a direct reference to the Supreme Court’s judgement in K.S. Puttaswamy v. Union of India. The notice also claims that Air India leaked the personal data “knowingly, intentionally, and deliberately”.
“The noticee, Air India, is guilty of leaking the sensitive information and personal data of my client. She was shocked and alarmed to learn about the recent security lapse by the noticee, making my client’s data open to exploitation,”
via the legal notice sent through Handoo’s lawyer, Ashwini Kumar Dubey.
This comes a little over a month after a Mumbai-based advocate, Zaman Ali, sought Rs. 15 lakhs in damages from Air India for the data leak. He claims that he was informed about the reach on May 25th and has sought damages for himself, while also seeking a government probe into the breach. Ali sought compensation under the IT Act and the Consumer Protection Act, suggesting that the leak contain extremely private information.
You may also like: Volkswagen divulges information about data breach
What is the Air India data leak?
On 21st May 2021, in an email to all its flyers, Air India revealed that it faced a data leak resulting from a “sophisticated cyber-attack”. The personal details of 45 lakh passengers including their name, date of birth, contact information, passport information, ticket information, as well as credit card information have been leaked. Air India has said that the data leak was the result of an attack on SITA, their passenger service provider system in February. The data leak includes the information of those passengers registered between 26th August, 2011 and 20th February, 2021.
SITA is a Swiss technology company specialising in air transport communications and information technology. It offers many services such as ticket reservation systems, passenger processing services, etc. The company started with 11 member airlines, but now has over 2500 customers from more than 200 countries. Air India struck a deal with SITA in 2017 to upgrade its IT infrastructure and enable the airline to join Star Alliance.
According to some media reports, Air India have claimed that the data breach was acknowledged by SITA, which is based out of Geneva, Switzerland. SITA confirmed that it was the victim of a cyber-attack leading to a data security incident that leaked passenger data stored on their Passenger Service System (US) Inc servers. The national airline has since confirmed that no password data was affected by the data breach.
Can Air India be sued?
Zaman Ali’s legal notice mentions the Information Technology Act, 2000, which does provide for “Compensation for failure to protect data” under Section 43A. As per this provision, if a data breach occurs to a corporate body due to the lack of proper security measures, then they can be sued for compensation. However, there are certain condition based on which Section 43A should be enforced and this is provided in the IT (Reasonable Security Practises and Procedures and Sensitive Personal Data or Information) Rules, 2011.
As per these additional conditions, the data breach much consist specifically of passwords, financial information, information about health conditions, sexual orientation, medical records or biometric information. Given that the Air India data leak consists of at least 2 of the aforementioned criteria, specifically the credit card information of passengers, it is possible to claim compensation under these provisions.
As per an article from Indian Express, Air India has taken a number of steps including securing any compromised servers, engaging external data security experts, and notifying credit card issuers. The airline has also claimed that there has been no evidence of misuse of any of the leaked information, but has requested passengers to change their password and watch out for any other signs of misuse.