Malaysian airline Malindo Air confirms massive data breach

Malaysian airline Malindo Air confirms massive data breach

Malindo Air

Malindo Air, the Malaysian subsidiary of Lion Air, today confirmed that it recently suffered a major breach of customer records after hackers gained access to an Amazon Web Services cloud database that stored such details.

Exactly a week ago, a security researcher posted a series of updates on Twitter, stating that an unnamed hacker had dumped two massive databases on the Dark Web that contained huge troves of customer and flight information belonging to Lion Air.

While one of these databases contained as many as 21 million customer records such as passenger IDs, Reservation IDs, customer addresses, email addresses, and phone numbers, the other database contained 14 million records such as names, dates of birth, phone numbers, passport numbers, and passport expiration dates of Lion Air's customers. Both databases uploaded to the Dark Web were marked for sale by the hacker who gained access to the databases.

Malindo Air says some personal data was accessed by hackers

Earlier today, Malindo Air, a subsidiary of Lion Air, confirmed that it did suffer a breach of customer records recently after hackers compromised a cloud-based environment that hosted such records.

However, unlike how the researcher detailed the list of customer records stolen by the hacker, Malindo Air said that only "some personal data" was lost as a result of the hack.

"Malindo Airways Sdn Bhd has come to be aware that some personal data concerning our passengers hosted on a cloud based environment may have been compromised. Our in house teams along with external data service providers, Amazon Web Services (AWS) and GoQuo, our e-commerce partner are currently investigating into this breach.

"Malindo Air has put in adequate measures to ensure that the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS)," the airline said.

"We are in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia. Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident.

"As a precautionary measure, we would advise passengers who have Malindo Miles accounts to change their passwords if identical passwords have been used on their other services online. We will continue to provide further updates through our website, mobile and social media platforms," it added.

It remains to be seen if the airline will release the exact number of customer records and the nature of such records that were compromised during the hacking incident.

Passive biometrics technologies that render stolen data valueness must be implemented

"In this recent breach, passenger names, passport numbers, mailing address, email address, passwords, and reservation IDs – everything can be used to compile an identity or facilitate fraud against the consumer’s identity – were released. Malindo Air is right suggesting its customers to change passwords immediately, to prevent potential misuse of some of the stolen data, but this doesn’t go far enough to protect consumers," says Robert Capps, VP at NuData Security.

"Organisations must change the current equation of "breach = fraud" by changing how they think about online identity verification. All data must be protected, but more importantly, it needs to be rendered valueless to cybercriminals, even if they get a full consumer profile with name, address, email, and passport numbers.

"Multi-layered technology that thwarts fraud exists right now. Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data. This makes it impossible for bad actors to access illegitimate accounts, as they can't replicate the customer’s inherent behaviour," he adds.

ALSO READ: British Airways fined a staggering £183.39m under GDPR for suffering massive breach

Copyright Lyonsdown Limited 2020

Top Articles

3 Bizarre Bitcoin Trading Stories

Bitcoin is booming, but what may come as a shock to you is the number of regular people turning to Bitcoin investing.

Malaysia Airlines flyers impacted in 9-year-long supplier data breach

Malaysia Airlines has suffered a major breach that compromised personal data records of its frequent flyer customers for over nine years.

Universal Health Services lost $67m to a Ryuk ransomware attack last year

Universal Health Services said the cyber attack cost it $67 million in remediation efforts, loss of acute care services, and other expenses.

Related Articles