Malaysia-based airline and Lion Air Group subsidiary Malindo Air has announced the result of its investigation of a data breach that leaked the personal details of some 35 million customers online.
“As a result of the findings, two former employees of [Malindo Air’s] e-commerce services provider, GoQuo Sdn Bhd in its development centre in India, had improperly accessed and stolen the personal data of our customers. The matter has been reported to the police, both in Malaysia and India,” the airlines wrote in a statement on Monday.
The company said it had been working closely with all the relevant agencies, including the Malaysian Personal Data Protection Commissioners, the National Cyber Security Agency, as well as their counterparts overseas.
“Malindo Air is pleased to advise that the data exposure has since been contained,” it added. “Malindo Air wishes to reiterate that this incident is not related to the security of its data architecture or that of its cloud provider Amazon Web Services. All its systems are fully secured and none of the payment details of customers were compromised due to the malicious act.”
Passengers of Batik Air, Malindo Air and Thai Lion Air were shocked when they discovered that their personal details had been posted online sometime in August, according to a cybersecurity research collective, making them vulnerable to various kinds of cybercrime, including identity theft.
The breach was discovered earlier this month by online cybersecurity intelligence collective Under the Breach, which goes by the Twitter handle @underthebreach. The collective posted censored screenshots of Thai Lion Air’s internal data in a brief Twitter thread, showing the sheer scale of the data theft.
The breach has put a spotlight on data protection, which remains a dire concern among businesses in Indonesia, and was also a warning of how fragile data security is in the aviation industry.
Last year, the data of 9.4 million Cathay Pacific passengers were also leaked.
“Cybercriminals will have seen the data breaches affecting other airlines and make the assumption that these are targets worth focusing on, especially considering the sensitive information airlines hold on their customers,” said Aaron Zander, head of IT at HackerOne.
“Leaving a server exposed without any protection is one of the most basic and embarrassing security failings, but still, these breaches continue to happen across the board. When it comes to securing the data of ever more informed consumers, the basics of security need to be covered at a minimum.”
He added that the recent passenger data leak must be used as a lesson for the industry to double down on its security.
“It is also important to remember to check and recheck your security. Modern engineering teams have many people who can improve your infrastructure and security, but equally as many people can make a mistake. Continued testing and checks help keep everyone’s data safe, especially your customers,” he said.
THE JAKARTA POST