Malindo Air has confirmed a data breach that saw passengers’ personal details — reportedly including passport details, home addresses and phone numbers — posted on data exchange forums last month.
The Lion Air subsidiary said it was aware that “some personal data concerning our passengers hosted on a cloud-based environment may have been compromised”
“Our in house teams along with external data service providers, Amazon Web Services (AWS) and GoQuo, our e-commerce partner are currently investigating into this breach,’’ it said.
“Malindo Air has put in adequate measures to ensure that the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010.
“We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).”
The airline said it was in the process of notifying authorities “both locally and abroad “ about the breach, including CyberSecurity Malaysia.
It was also engaging with independent cybercrime consultants to investigate and report into this incident.
“As a precautionary measure, we would advise passengers who have Malindo Miles accounts to change their passwords if identical passwords have been used on their other services online,’’ it said.
According to the South China Morning Post, the breach involved the information of millions of passengers of Malindo and Thai Lion Air.
There were also references to Batik Air, another Lion Air subsidiary.
The Post said four files, two belonging to Malindo and two to Thai Lion Air, were dumped online by a “dark web” figure known as Spectre.
The airlines join a growing list of carriers to have fallen foul of hackers in the recent times.
A number of airlines have been targeted by hackers in recent times, including Cathay Pacific and British Airways.
Business publication Forbes earlier this year reported a study showing cyber-attacks against passenger air travel rose by more than 15,000 per cent between 2017 and 2018.