Now, three months later, the full extent of the damage is still coming into view. As TechCrunch reports, Air India revealed this week that the incident at SITA exposed the personal information of about 4.5 million passengers.

According to a statement by the Indian flag carrier airline, the breach of its data processor exposed passengers’ names, birthdates, credit card information, contact details, passport data and more.

While Air India noted that SITA did not have the CVV/CVC numbers from credit cards, the airline also called on travelers to update their passwords “wherever applicable to ensure safety of their personal data.”

Customers who registered with Air India between August 26, 2011 and February 3, 2021 were affected, according to the airline.

SITA is based in Geneva, Switzerland, and is thought to work with 90% of global carriers. The company initially said it had contacted Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa about the hack. SITA said in early March that it couldn’t share specific information exposed in the hack due to an ongoing investigation.

As Engadget reports, Air India said that while it learned of the breach on February 25 and published an alert on March 19, it didn’t find out the names of the passengers touched by the incident until March 25 and May 4. The identity of who was behind the breach is still unclear.

A 2018 data breach of another airline, Cathay Pacific, affected as many as 9.4 million travelers.

As Insurance Journal notes, Air India is also in the midst of a legal fight with British firm Cairn Energy, which was awarded a $1.2 billion arbitration award in December.

Another recent airline data breach hit easyJet, which disclosed in 2020 that about 9 million customers had their email and travel details accessed in a cyber attack.