The compromised software was operated by SITA Passenger Service System. The hack was exposed in February 2021, but the scale of the data breach wasn’t known until now.

The breach involved personal data registered between 26 August 2011 and 3 February 2021. Details exposed included names, dates of birth, contact information, passport information, ticket information, and Star Alliance and Air India frequent flyer data.

Credit card data was also stolen but Air India said this didn’t include CVV/CVC security numbers. The airline, which is part of the Star Alliance network, is advising customers to change their Air India passwords on its website.

Gareth Shaw, Which? head of money, said: “Air India customers will understandably be worried that their data has fallen into the hands of hackers who might try to exploit it, so it is vital that the company provides clear and timely updates to victims and supports them in taking steps to protect themselves.

“Anyone concerned they could be affected should be wary of unexpected phone calls, emails or fake ‘customer support’ messages popping up on social media regarding the breach, as scammers might try to take advantage of it. It’s also worth keeping a close eye on bank accounts and credit reports.

“While it looks unlikely that passwords have been stolen in this breach, Air India recommends customers should change their password as a precaution.”

British Airways was fined £20m last year for a data breach which affected the personal and credit card data of more than 400,000 customers in 2018. The Information Commissioner’s Office (ICO) fined the carrier for failing to protect the personal and financial details of hundreds of thousands of customers.

There was also a data breach at EasyJet last year when the personal details, email addresses and travel plans of nine million customers were accessed by hackers.