Yesterday SITA, the IT service provider owned by the airline and airport industry, said it experienced a cyberattack on passenger information. SITA Passenger Service System (PSS) looks after data for several airlines and multiple air carriers have emailed a subset of their passengers telling them they’re affected. The issue highlights the need to reduce the amount of centralized personal data held by corporations, creating a honeypot for cyberattackers. Instead, more data should be retained by individuals using digital identity solutions such as self-sovereign identity.
“This was a highly sophisticated attack,” said SITA in a statement. “SITA acted swiftly and initiated targeted containment measures.”
It turns out that Singapore Airlines is not even a customer of SITA PSS. It shared some passenger data with other Star Alliance members that use SITA PSS.
“All Star Alliance member airlines provide a restricted set of frequent flyer programme data to the alliance, which is then sent on to other member airlines to reside in their respective passenger service systems,” said Singapore Airlines in a statement. “This data transfer is necessary to enable verification of the membership tier status, and to accord to member airlines’ customers the relevant benefits while travelling.”
Singapore Airlines said that 580,000 KrisFlyer and PPS members were affected. The data exposed in the case of Singapore Airlines was the membership number, tier status and, in some cases, membership name. The other big western airlines that are Star Alliance members are United, Lufthansa, and Air Canada. None of the three airlines have made announcements.
How self sovereign identity might help
With something like a multi-airline loyalty scheme – with our admittedly armchair perspective – we believe this does not require a centralized store of data for sharing. In fact, it’s probably an ideal use case for digital identity. Here’s how we think it could work with self-sovereign identity.
When a passenger joins the Star Alliance program, they are issued a loyalty program credential by the airline that signed them up, hypothetically United. This is transmitted peer-to-peer and gets stored in their mobile wallet or a cloud provider they choose. Only United and the passenger have the details. The credential is digitally signed with United’s private key, and a blockchain might store United’s public key, which can later be used to verify the signature.
When the passenger wants to use rewards points at another airline, say Singapore Airline (SAI), SAI would ask the passenger for their Star Alliance credentials. The passenger shares their credential directly, which doesn’t need to include the membership number, and SAI verifies the credentiall without contacting United. They simply need to check that United’s public key matches the credential’s signature by checking the blockchain. They also might check a blockchain for revoked credentials, which again would not include personal information.
And there you have verifiable credentials with no centralized store of data.
You could also use a blockchain to share the transactions between the airlines. Again without using personally identifiable information.
What is a trickier challenge is the need for individual airlines to store their own passenger information for compliance and billing purposes.
COVID-19 health passports
Meanwhile, rarely a day goes by without a new announcement of a digital identity solution for COVID-19 test and vaccination certificates. These work in a similar way with the test or healthcare provider digitally signing the test or vaccine certificate.
Some high profile solution providers include GE Digital’s TrustOne app, IATA’s Travel Pass platform, IBM’s Digital Health Pass and the ICC AOKpass. But there are probably hundreds more. ID2020 has setup the Good Health Pass Collaborative to help the solutions to interoperate.