Malindo Air confirms data breach, exposing millions of passengers' personal data

South China Morning Post Dipublikasikan 04.09, 18/09/2019
Malindo Air confirms data breach, exposing millions of passengers' personal data

Subsidiaries of Indonesian low-cost airline Lion Air have suffered a massive data breach, resulting in the information of millions of passengers - including passport details, home addresses and phone numbers - being leaked onto data exchange forums last month.

Malindo Air CEO Chandran Rama Muthy confirmed the leak, saying that the airline was in the middle of carrying out an investigation into the matter and had already reached out to the Malaysian Communications and Multimedia Commission (MCMC).

"We found out about this breach last week. We and a third party vendor are checking as we speak, and will come up with a statement soon. We will advise passengers accordingly as per the investigation outcome," he told the South China Morning Post, adding that it was yet unknown how many passengers' details had been leaked.

Chandran said that Malindo Air would also be hiring an independent cybersecurity firm to do a full forensic analysis into the nature of the leak.

"This is a very serious offence."

The files of passengers who flew with Thai Lion Air and Malindo Air, subsidiaries of Lion Air, were uploaded and stored in an open Amazon web services bucket, a public cloud storage resource.

Lion Air Boeing 737-800 aircraft at the airport in Padang, Indonesia. Photo: AFP

The files - titled "Passenger Details" or "Passengers" - contain full names, home addresses, email addresses, dates of birth, phone numbers, passport numbers and expiration dates.

Four files, two belonging to Malindo Airlines and two belonging to Thai Lion Air, were dumped online by a figure known as Spectre, who operates a darkweb site that publishes download links for leaked data and hacked databases.

There were also references to Batik Air, a third Lion Air subsidiary based in Jakarta.

The data was dumped in groups on instant messaging service Telegram, as well as on cloud storage and file-hosting services such as mega.nz and openload.cc, which still contain an active link to these databases.

Cybersecurity expert Nandakishore Harikumar's team found the records when monitoring these forums while running a data safety operation for a client.

"While assessing a few of them we found that Spectre's website had a new dump which belonged to Malindo Airlines. We accessed the dump, verified the data and understood that it contained sensitive information. We assessed the severity and tried to understand where all the data was on sale," said Nandakishore, CEO of Indian cybersecurity start-up Technisanct, adding that businesses had to take necessary steps to secure sensitive and private information.

Although his company contacted Malindo Air "there was no response".

Malindo Air - a Malaysian carrier - operates from two airports in Kuala Lumpur and has a network of about 40 routes across the region, including to destinations in Indonesia, Thailand, India, Singapore and Australia with more than 800 flights weekly.

Chandran will step down as CEO on September 23, making way for Mushafiz Mustafa Bakri, who is currently director of safety, security and quality at Thai Lion Air.

Chandran will become strategic director for Lion Group, overseeing the development of the company's five carriers.

The Post contacted several Malaysians whose details were published in the leak and they confirmed they had flown Malindo Air recently.

Asean countries are a prime target for cyberattacks, according to global management consulting firm AT Kearney.

In a recent cybersecurity report, the consultancy said Malaysia, Indonesia and Vietnam were "global hotspots" for major blocked suspicious web activities at up to 3.5 times the standard ratio.

In 2017, Malaysia suffered a massive data breach where the information of millions of mobile service subscribers was leaked online. In July this year, popular beauty products retailer Sephora reported online accounts from residents of Hong Kong, Singapore and Malaysia were compromised by a data leak.

Copyright (c) 2019. South China Morning Post Publishers Ltd. All rights reserved.

Artikel Asli