You are here
Malaysia's Malindo Air confirms passenger data breach
[KUALA LUMPUR] Malaysia's Malindo Air, a subsidiary of Indonesia's Lion Group, said on Wednesday it was investigating a data breach involving the personal details of its passengers.
Malindo Air's statement followed news that the details of 35 million passengers of Malindo and fellow Lion Group subsidiary Thai Lion Air were posted in online forums. Twitter account "Under the Breach", which tracks cyber crime, reported on Sept 12 that the leaked information included passengers' passport details, addresses and phone numbers.
Moscow-based cybersecurity firm Kaspersky told The Business Times that it had sent an alert to its security cloud users in Thailand and on Sept 13, two days after information about the data breach went public. The alert notified the users of the breach and asked them to treat incoming emails, text messages, and calls with additional caution. This was done via Security News - Kaspersky's in-product component used to inform its users about important cybersecurity-related news emerging in the public domain. (see amendment note)
Lion Group and Thai Lion Air could not immediately be reached for comment.
Malindo Air said it was notifying authorities internationally about the incident and advised customers with online frequent flyer accounts to change their passwords.
It declined to provide more detail on its investigation, including how many customers were affected, but said it did not store any customer payment details on its servers.
"We are in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia," it said in a statement. "Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident."
The files were uploaded and stored in an open Amazon Web Services (AWS) bucket, a public cloud storage resource. AWS, which is an external data service provider for Malindo, was not immediately available for comment.
Lion Air received global attention in October when one of its new Boeing 737 MAX jets crashed into the Java Sea, killing all 189 passengers and crew on board.
Amendment note: Reuters reported on Sept 18 that Malindo Air's statement followed a report by Kaspersky about the airlines' data breach and that Kaspersky had said part of the leaked databases were up for sale on the dark web. On Sept 20, Kaspersky clarified that it has never produced a report or any other specific intelligence on the airlines' data leak. This article has been amended to reflect the clarification.