Malindo Air Blames Data Leak on Third-Party SupplierData on Millions Passengers Posted Online, Security Researchers Say
Malindo Air in Malaysia is blaming a recent data breach that exposed the personal information of millions of passengers on two former employees of a third-party supplier to the airlines. Customers of a sister company, Thai Lion Air in Thailand, were also affected, according to Reuters.
The two employees of GoQuo (M) Sdn Bhd, a third-party e-commerce supplier, worked out a development center in India, according a statement from Malindo Air. So far, however, the airline has not released the names of the two former contractors, according to Reuters.
The airline did not provide specifics about the breach, only that the two contractors "improperly accessed and stole the personal data of our customers."
Malindo Air reported that it notified police of the breach, Reuters reports. The news service says it could not reach GoQuo for comment.
Malindo Air says it's not clear how the two contractors accessed the data.
When news of the data leak first broke, Bleeping Computer reported that the airline data came from a cloud-based database used by the airlines.
Malindo Air notes, however, that the incident was not the result of a breach of the company's cloud infrastructure, which is supplied by Amazon Web Services. Amazon also reports that it's cloud products and storage were not breached in the incident.
"While we can't get into details regarding a customer issue, it is important to clarify that AWS services and infrastructure worked as designed and were not compromised in any way," an Amazon spokesperson tells ZDNet.
Passenger Details Exposed
Malindo Air is the Malaysian subsidiary of Indonesia's Lion Air Group, which also owns Thai Lion Air as well as several other airlines that operate in Southeast Asia.
Malindo Air first acknowledged the breach on Sept 18. It also issued a statement that advised passengers using its Malindo Miles accounts to change their passwords. Malindo Miles is the company's customer loyalty program for passengers.
The exposed passenger data was first spotted by researchers at security firm Under the Breach on Sept. 11, according to Bleeping Computer. The data appeared on at least one dark net data exchange forum, according to Reuters. One database that the researchers found contained records on about 21 million passengers, while a second databased contained details on about 14 million customers, according to a Twitter post by the researchers.
Second database has 14 million records which include the name, date of birth, phone number, passport number and passport expiration date.— Under the Breach (@underthebreach) September 11, 2019
researchers, contact us for more details. pic.twitter.com/KIsTxhda7e
Reuters reported that in an alert sent to its customers about the breach, Kaspersky put the total amount of passenger records exposed for the two airlines at 46 million.
Bleeping Computer reported that the records were found in a directory that had backup files created in May mostly for Malindo Air and Thai Lion Air. Another backup file consisted of data from Batik Air, another subsidiary of Lion Air Group, according to the report.
Although researchers with Under the Breach posted their findings on Twitter Sept. 11, it wasn't until Sept. 13 that others apparently started paying attention to the leaked data after Kaspersky sent out an alert to customers in Thailand and Malaysia notifying them of a possible security breach.
"The alert notified them of the breach and asked them to treat incoming emails, text messages, and calls with additional caution," a Kaspersky spokesperson tells Information Security Media Group. "This was done via Security News - the in-product component used to rapidly inform our users about important cybersecurity-related news emerging in the public domain."
Kaspersky is not involved in the investigation, the spokesperson said.
Increasingly, airlines are becoming an attractive target for cyber criminals due to the immense amount of personal data that these company store, security researchers say. In September 2018, for example, British Airways discovered that hackers compromised payment card data and personal details for 429,000 customers.
In July, Britain's Information Commissioner issued a notice of intent stating that it planned to fine British Airways $230 million for violating the European Union's General Data Protection Regulation (see: British Airways Faces Record-Setting $230 Million GDPR Fine ).