{
	"id": "1d73c0dd-987e-43b5-a8ae-efecda814915",
	"created_at": "2026-04-06T00:21:44.432062Z",
	"updated_at": "2026-04-10T03:36:01.428303Z",
	"deleted_at": null,
	"sha1_hash": "70a9ef1b5c68e4044340bbda916faad453f1606d",
	"title": "Arabian Travel Agency Data Breach: Millions Potentially Impacted",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 411152,
	"plain_text": "Arabian Travel Agency Data Breach: Millions Potentially\r\nImpacted\r\nBy Samiksha Jain\r\nPublished: 2024-07-10 · Archived: 2026-04-05 21:11:11 UTC\r\nAfter a threat actor known as “ghostr” on the XSS forum claimed a significant data breach targeting the UAE-based Arabian Travel Agency, which allegedly impacts Air India customers travelling to and from UAE, the\r\naviation giant said it is investigating the claims.\r\nThe Arabian Travel Agency data breach, which allegedly occurred in June 2024, compromised a substantial\r\namount of sensitive information, including corporate, accounting, and sales data, as well as personal information\r\nof over 228,303 Air India customers and 1,081,733 visa applicants.\r\nAdditionally, the attacker claims to have obtained various personal documents and images of the company’s\r\nemployees.\r\nAir India Responds\r\nAn Air India spokesperson told The Cyber Express that a possible compromise of data has occurred from the\r\nsystems of Arabian Travel Agency (ATA) – the General Sales Agent of Air India for the UAE region.\r\nThe Indian aviation giant said it had obtained a copy of the notification posted on Dark Web, along with some\r\nsample data. “Our analysis of the sample data suggests that it is related to the period around July-August 2020,\r\nwhich is before the privatisation of Air India, which occurred in January 2022,” the spokesperson said.\r\nHe also added that it could not be ascertained if the data exactly matched with the personal details of Air India’s\r\npassengers. “We have reached out to ATA, and requested complete details of the incident,” the spokesperson said.\r\nAir India, as per the applicable regulatory requirements, has notified relevant Government authorities about this\r\nincident.\r\n“Post privatization, Air India has invested heavily in technology and put in systems to ensure data protection. At\r\nAir India, data privacy and protection are of utmost priority,” the spokesperson assured.\r\nDetails of Arabian Travel Agency Data Breach\r\nAccording to ghostr post, the compromised data includes a wide range of sensitive information:\r\nhttps://thecyberexpress.com/arabian-travel-agency-data-breach-exposed-info/\r\nPage 1 of 3\n\nCorporate, Accounting, and Sales Information: Confidential business data from the Arabian Travel\r\nAgency, which serves as the official general sales agent for Air India in the UAE.\r\nCustomer Personal Information: Data from 228,303 Air India customers, potentially including names,\r\ncontact details, travel itineraries, and more.\r\nVisa Applicant Records: Information from 1,081,733 visa applicants, likely encompassing personal\r\ndetails submitted during the visa application process.\r\nEmployee Documents and Images: Copies of employee documents such as certificates, driving licenses,\r\nEmirates ID cards, labor cards, Ministry of Labour (MOL) contracts, passports, and residence visas.\r\nTo substantiate these claims, ghostr has reportedly provided sample records from the alleged database.\r\nThe Cyber Express Team has made attempts to verify the claims by reaching out to both Arabian Travel Agency\r\nand Air India. However, as of this writing, no official response has been received from either organization, leaving\r\nthe claims unverified.\r\nPotential Implications of Data Breach at Arabian Travel Agency\r\nIf ghostr’s claims are proven true, the consequences for both the Arabian Travel Agency and Air India could be\r\nsevere. The alleged exposure of such extensive and sensitive information would not only compromise the privacy\r\nof millions of individuals but also pose significant risks to the affected organizations. The potential implications\r\ninclude:\r\n1. Privacy Violations: The personal information of customers and visa applicants, including potentially\r\nsensitive details, being exposed could lead to privacy violations and identity theft.\r\n2. Corporate Espionage: The breach of corporate, accounting, and sales information might expose the\r\nArabian Travel Agency to corporate espionage, impacting its competitive standing and operational security.\r\n3. Regulatory Scrutiny and Legal Consequences: Both organizations could face intense regulatory scrutiny\r\nand potential legal actions due to the breach. Compliance with data protection regulations, such as the\r\nUAE’s Personal Data Protection Law (PDPL), would be called into question.\r\n4. Reputational Damage: The loss of trust among customers and business partners could have long-term\r\nrepercussions on the reputation and financial health of the affected companies.\r\n5. Operational Disruptions: Addressing the breach and mitigating its impact could lead to significant\r\noperational disruptions and financial costs for both the Arabian Travel Agency and Air India.\r\nhttps://thecyberexpress.com/arabian-travel-agency-data-breach-exposed-info/\r\nPage 2 of 3\n\nAs the situation continues to unfold, the Cyber Express Team remains committed to providing updates on this\r\ndeveloping story. The team will diligently seek further information and official comments from the targeted\r\ncompanies. Until then, the claims by ghostr remain unverified.\r\nIn 2021, Air India reportedly faced a cyberattack that affected over 4.5 million customers. In May of that year, it\r\nwas revealed that the personal details of millions of customers worldwide had been compromised. This included\r\nsensitive information such as passports, credit card details, birth dates, names, and ticket information.\r\nThe breach was initially reported to Air India in February 2021 by their data processor, SITA, a Swiss technology\r\ncompany known for providing passenger processing and reservation system services. The breach involved data\r\nregistered in SITA’s systems between August 26, 2011, and February 20, 2021. It was discovered that the\r\ncyberattackers had access to the systems for a period of 22 days.\r\nConclusion\r\nThe alleged data breach at the Arabian Travel Agency, purportedly orchestrated by ghostr, highlights the ever-present threats posed by cybercriminals. The potential exposure of vast amounts of sensitive information\r\nhighlights the critical importance of strong cybersecurity measures.\r\nThe Cyber Express Team will continue to monitor the situation closely, providing timely updates as new\r\ninformation becomes available.\r\n*Update July 10, 11:05 a.m.: Added comments from the Air India spokesperson and changed the article title to\r\nreflect the same.\r\nMedia Disclaimer: This report is based on internal and external research obtained through various means. The\r\ninformation provided is for reference purposes only, and users bear full responsibility for their reliance on it.\r\nThe Cyber Express assumes no liability for the accuracy or consequences of using this information.\r\nSource: https://thecyberexpress.com/arabian-travel-agency-data-breach-exposed-info/\r\nhttps://thecyberexpress.com/arabian-travel-agency-data-breach-exposed-info/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://thecyberexpress.com/arabian-travel-agency-data-breach-exposed-info/"
	],
	"report_names": [
		"arabian-travel-agency-data-breach-exposed-info"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6e8effad-d9fb-4b49-bba4-9b4e5953356d",
			"created_at": "2024-04-23T02:00:04.243074Z",
			"updated_at": "2026-04-10T02:00:03.630533Z",
			"deleted_at": null,
			"main_name": "GhostR",
			"aliases": [],
			"source_name": "MISPGALAXY:GhostR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad",
			"created_at": "2022-10-25T16:07:24.444096Z",
			"updated_at": "2026-04-10T02:00:04.994412Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [
				"0mid16B",
				"ALTDOS",
				"Desorden",
				"GHOSTR"
			],
			"source_name": "ETDA:ALTDOS",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434904,
	"ts_updated_at": 1775792161,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70a9ef1b5c68e4044340bbda916faad453f1606d.pdf",
		"text": "https://archive.orkl.eu/70a9ef1b5c68e4044340bbda916faad453f1606d.txt",
		"img": "https://archive.orkl.eu/70a9ef1b5c68e4044340bbda916faad453f1606d.jpg"
	}
}