The breach was first reported to the company in February. Details including passport and ticket information as well as credit-card data were compromised.
But Air India said security details for credit cards - CVV or CVC numbers - were not stored on the server targeted.
It is not immediately clear who was behind the attack.
The airline, a member of the Star Alliance network, said the breach involved all information registered between 26 August 2011 and 20 February 2021.
Air India said no subsequent unauthorised activity had been detected.
Last year, British Airways was fined £20m ($26m) for a data breach which affected personal and credit card data of more than 400,000 customers in 2018.
Also last year, EasyJet admitted that email addresses and travel details of approximately nine million customers had been stolen in a cyber-attack.