Airline Frequent Flyer Data Breached, World Airlines Notifying Customers, U.S. Carriers Noticeably Silent

A frequent flyer program database has been breached, giving hackers access to the name, account number, and elite level of all members in all Star Alliance frequent flyer programs, according to notices provided by Singapore Airlines, Lufthansa and Air New Zealand. oneworld account data has also been breached, according to notices provided by Cathay Pacific and Finnair.

Here’s the message sent by Singapore Airlines,

SITA, an information technology company providing passenger service systems, has informed Singapore Airlines of a data security breach involving their passenger service systems’ (SITA PSS) servers. While Singapore Airlines is not a customer of the SITA PSS, another Star Alliance member airline is.

All Star Alliance member airlines provide a restricted set of frequent flyer programme data to the alliance, which is then sent on to other member airlines to reside in their passenger service systems. This data transfer is necessary to enable the verification of membership tier status, and to accord to member airlines’ customers the relevant benefits while travelling.

As a result, SITA has access to the restricted set of frequent flyer programme data for all 26 Star Alliance member airlines including Singapore Airlines.

Some of our members were affected by the breach of the SITA PSS server. The impacted data is limited to the members’ KrisFlyer membership number and tier status and, in some cases, membership name, which is the full extent of the frequent flyer data set Singapore Airlines shares with other Star Alliance member airlines for this data transfer.

Specifically, this data breach does not involve KrisFlyer membership passwords, credit card information, and other customer data such as itineraries, reservations, ticketing, passport numbers, and email addresses as SIA does not share this information with other Star Alliance member airlines for this data transfer.

We are contacting you to inform you that your KrisFlyer data was not impacted by this breach of the SITA PSS server. Your KrisFlyer miles balance was also not compromised.

We would also like to reassure you that none of Singapore Airlines’ IT systems have been affected by this incident.

The protection of our customers’ personal data is of utmost importance to Singapore Airlines. We will work with our partners to review the current procedures, and take all necessary steps to improve data security.

It appears the breach was of the SITA passenger service system. There may be additional information stolen beyond just account number and status, but it’s likely limited to things like meal and seat preferences.

Strikingly no U.S. airline that I’m aware of has notified customers of the possibility that their information has been breached.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »



  1. With Southwest subsidiary AirTran Airways due to fly off into the pages of aviation history this week as its last remnants are fully absorbed into its parent airline, Forbes takes a look at just what AirTran has brought to the larger carrier.

  2. And having the name, account number and elite status means basically nothing w/o billing info and/or ID/PW. 40 years in IT and this is a non-event

  3. United Airlines notified their customers by eMail today around 5:30 PM EST

  4. IMHO this is a bigger deal than they are making it. Many FF accounts use the number and password, or number plus family name and password.
    Two parts of that data are now in the wild and it won’t take much to start joining that to existing data sets of names and emails and compromised passwords.
    While the passwords have not been released lazy password reuse will result in compromised FF accounts and theft of FF miles increasing.

  5. I received a similar email from AA as well It seems the One World database has been breached as well Whatever this means remains to be determined

Leave a Reply

Your email address will not be published.