Malindo Air, the Malaysian subsidiary of Lion Air, today confirmed that it recently suffered a major breach of customer records after hackers gained access to an Amazon Web Services cloud database that stored such details.
Exactly a week ago, a security researcher posted a series of updates on Twitter, stating that an unnamed hacker had dumped two massive databases on the Dark Web that contained huge troves of customer and flight information belonging to Lion Air.
HUGE: Hacker dumps @lionairthai's customer and flight database
First database has 21 million records which include passenger ID, Reservation ID, customer address, phone number and email (1/2)#breach #database #gdpr #blackhat pic.twitter.com/GCJ0LvekWR
— Alon Gal (Under the Breach) (@UnderTheBreach) September 11, 2019
While one of these databases contained as many as 21 million customer records such as passenger IDs, Reservation IDs, customer addresses, email addresses, and phone numbers, the other database contained 14 million records such as names, dates of birth, phone numbers, passport numbers, and passport expiration dates of Lion Air's customers. Both databases uploaded to the Dark Web were marked for sale by the hacker who gained access to the databases.
Malindo Air says some personal data was accessed by hackers
Earlier today, Malindo Air, a subsidiary of Lion Air, confirmed that it did suffer a breach of customer records recently after hackers compromised a cloud-based environment that hosted such records.
However, unlike how the researcher detailed the list of customer records stolen by the hacker, Malindo Air said that only "some personal data" was lost as a result of the hack.
"Malindo Airways Sdn Bhd has come to be aware that some personal data concerning our passengers hosted on a cloud based environment may have been compromised. Our in house teams along with external data service providers, Amazon Web Services (AWS) and GoQuo, our e-commerce partner are currently investigating into this breach.
"Malindo Air has put in adequate measures to ensure that the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS)," the airline said.
"We are in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia. Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident.
"As a precautionary measure, we would advise passengers who have Malindo Miles accounts to change their passwords if identical passwords have been used on their other services online. We will continue to provide further updates through our website, mobile and social media platforms," it added.
It remains to be seen if the airline will release the exact number of customer records and the nature of such records that were compromised during the hacking incident.
Passive biometrics technologies that render stolen data valueness must be implemented
"In this recent breach, passenger names, passport numbers, mailing address, email address, passwords, and reservation IDs – everything can be used to compile an identity or facilitate fraud against the consumer’s identity – were released. Malindo Air is right suggesting its customers to change passwords immediately, to prevent potential misuse of some of the stolen data, but this doesn’t go far enough to protect consumers," says Robert Capps, VP at NuData Security.
"Organisations must change the current equation of "breach = fraud" by changing how they think about online identity verification. All data must be protected, but more importantly, it needs to be rendered valueless to cybercriminals, even if they get a full consumer profile with name, address, email, and passport numbers.
"Multi-layered technology that thwarts fraud exists right now. Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data. This makes it impossible for bad actors to access illegitimate accounts, as they can't replicate the customer’s inherent behaviour," he adds.