Utair 2019 Data Breach
ObscureIQ Breach Intelligence
High SeverityWebsite / service breach
Utair Russian Airline Breach (2019): 401K Passenger Records Including Contact Details Exposed
Russian airline providing passenger and cargo air transport.
Verified by ObscureIQ Intelligence
79/100Breach Risk Index
30Data Value
60Market Recency
122dSince Breach
Breach Intelligence Summary
Entity: Utair · Actor: Unknown (server misconfiguration; data circulated then sold) · Sources: 2 references
Attack: Unknown
Profile: Company · Passenger air transportation · Commercial airline · Russia / Global
Timeline: Breach (2019-03-21) · Indexed (Dec 26, 2025) · Year (2019)
Exposure: 401K records · 8 fields: Date of Birth, Email Address, Full Name, Gender, Loyalty Program Details, Passport Number, Phone Number, Physical Address
Status: Confirmed
Executive Summary
A data breach affecting Russian airline Utair traces to early 2019, when a MongoDB database operated by the airline's in-house IT division, UTair Digital, was left exposed on the public internet from approximately January 21 to March 21, 2019. The database was identified by Russian leak-intelligence service DLBI, which notified the airline. Utair contained the exposure and characterized it as the result of a server misconfiguration.\n\nThe data initially circulated among threat-actor circles, was offered for sale in August 2019, and was published openly on a hacker forum in August 2020. Have I Been Pwned indexed approximately 401,000 unique email addresses associated with the dataset and added the breach to its public database in late 2025. Original Russian-language reporting put the underlying record count at around 530,000 customer rows. Exposed fields included passenger names in both Cyrillic and Latin characters, email addresses, phone numbers, dates of birth, gender, home addresses, passport numbers, and UTair Status loyalty program details including accumulated miles and tier level.\n\nUtair publicly stated that no payment-card data was compromised and that loyalty accounts remained protected by two-factor authentication. The practical risk to affected passengers is concentrated in identity fraud and travel-related phishing. The combination of passport number, date of birth, and address creates an unusually strong base for international identity-verification bypass. Affected passengers should treat their passport details as exposed, monitor for unusual travel-related contact, and remain alert to phishing referencing past Utair bookings, loyalty status, or accumulated miles.
ObscureIQ assessment: Exposure enables travel fraud, phishing, booking impersonation, and physical-world targeting. Itinerary data can also reveal movement patterns and likely absence from home.
Breach Impact
The institutional impact on Utair from the 2019 incident has been modest. The airline confirmed the underlying data exposure and characterized it as legacy data that had been quickly contained after researcher notification. Utair publicly stated that no payment-card information was compromised because card data is held separately, and that loyalty-program account access remained protected by two-factor authentication. There has been no public record of regulatory penalty, large-scale customer notification campaign, or class-action litigation tied to the incident. The reputational cost has accumulated indirectly as the dataset continues to be republished and indexed by international breach-tracking services years after the original exposure.
About Utair
UTair Aviation is a Russian airline based in Surgut, providing passenger and helicopter services across Russia and a smaller set of international destinations. Founded in 1967 and one of Russia's larger carriers by helicopter fleet, the airline operates regional and medium-haul passenger flights alongside extensive helicopter operations supporting the energy sector and emergency services. The carrier maintains a customer loyalty program known as UTair Status and runs its own digital systems through an in-house IT division, UTair Digital. Its passenger base is concentrated in Russia and the Commonwealth of Independent States.
Why They Hold Your Data
Commercial airlines collect passenger identity, contact details, booking records, payment-adjacent information, itinerary data, loyalty accounts, and support interactions across travel operations.
Recent Developments
Utair has continued to operate through the political and economic disruption that followed Russia's 2022 invasion of Ukraine, although Western sanctions have constrained access to international markets, aircraft parts, and certain digital services. Russian aviation more broadly has been the subject of a growing number of cybersecurity incidents linked to pro-Ukrainian hacktivist groups, including a major 2025 attack on flag carrier Aeroflot. Utair has not been publicly tied to a similar large-scale incident in the years since the 2019 leak. The 2019 dataset was added to public breach-tracking databases including Have I Been Pwned in late 2025.
Data Points Exposed
8 verified field types
Date of Birth High
Email Address
Full Name High
Gender
Loyalty Program Details
Passport Number Critical
Phone Number
Physical Address High
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:High
Primary downstream threats:
- Identity verification bypass using name + date of birth combination
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat vectors:
- Identity verification bypass
- Phishing, credential stuffing & account takeover
- Name-based social engineering
- Profile enrichment
- Loyalty point theft & account takeover
- International identity fraud & border exploitation
- SIM swapping, vishing & SMS phishing
- Physical stalking, mail fraud & identity verification
Threat Actor: Unknown (server misconfiguration; data circulated then sold)
Unknown (server misconfiguration; data circulated then sold)
Unknown
Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.
Recommended Actions
If you believe your information may be included:
Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the Utair breach?▾
A data breach affecting Russian airline Utair traces to early 2019, when a MongoDB database operated by the airline's in-house IT division, UTair Digital, was left exposed on the public internet from approximately January 21 to March 21, 2019. The database was identified by Russian…
What data was exposed?▾
Verified fields include Date of Birth, Email Address, Full Name, Gender, Loyalty Program Details, Passport Number, Phone Number, Physical Address.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation