Amadeus says customer information was stolen from Resbird Technologies, its independent distributor in India, in January 2019.
In a statement, the distribution giant says that while there was no “unauthorized access to the system,” a Resbird employee who had rights to access the systems had illegally taken information from a number of passenger name records (PNRs).
The employee is then believed to have passed the information to a third party that specializes in SIM cards for mobile phones.
According to the Amadeus statement, the PNR information included name, contact details and travel itineraries.
In a small number of cases, it may also have included passport details.
The information accessed came from India-based travel agents and involved only tickets issued in India.
Subscribe to our newsletter below
The statement says a number of actions have been taken, including the employment terminated for the person involved and a report filed with the police in India.
It is not known how many records were accessed, but Amadeus felt it was large enough to file a report with the Spanish data protection authority.
The company is also conducting a review of the data compromised, which goes back to the end of June 2018.
It has also sent a “cease and desist letter” to the SIM card company for the stolen information to be returned or destroyed.
PhocusWire has contacted Resbird for comment.