Subsidiaries of Indonesian low-cost airline Lion Air have suffered a massive data breach, resulting in the information of millions of passengers – including passport details, home addresses and phone numbers – being leaked onto data exchange forums last month.
Malindo Air CEO Chandran Rama Muthy confirmed the leak, saying that the airline was in the middle of carrying out an investigation into the matter and had already reached out to the Malaysian Communications and Multimedia Commission (MCMC) on Tuesday.
“We found out about this breach last week. We and a third party vendor are checking as we speak, and will come up with a statement soon. We will advise passengers accordingly as per the investigation outcome,” he told the South China Morning Post, adding that it was yet unknown how many passengers’ details had been leaked.
Chandran said that Malindo Air would also be hiring an independent cybersecurity firm to do a full forensic analysis into the nature of the leak.
“This is a very serious offence.”
The files of passengers who flew with Thai Lion Air and Malindo Air, subsidiaries of Lion Air, were uploaded and stored in an open Amazon Web Services bucket, a public cloud storage resource.
The files – titled “Passenger Details” or “Passengers” – contain full names, home addresses, email addresses, dates of birth, phone numbers, passport numbers and expiration dates.
Four files, two belonging to Malindo Airlines and two belonging to Thai Lion Air, were dumped online by a figure known as Spectre, who operates a darkweb site that publishes download links for leaked data and hacked databases.
There were also references to Batik Air, a third Lion Air subsidiary based in Jakarta.
The data was dumped in groups on instant messaging service Telegram, as well as on cloud storage and file-hosting services such as mega.nz and openload.cc, which still contain an active link to these databases.
Cybersecurity expert Nandakishore Harikumar’s team found the records when monitoring these forums while running a data safety operation for a client.
“While assessing a few of them we found that Spectre’s website had a new dump which belonged to Malindo Airlines. We accessed the dump, verified the data and understood that it contained sensitive information. We assessed the severity and tried to understand where all the data was on sale,” said Nandakishore, CEO of Indian cybersecurity start-up Technisanct, adding that businesses had to take necessary steps to secure sensitive and private information.
Although his company contacted Malindo Air “there was no response”.
Malindo Air – a Malaysian carrier – operates from two airports in Kuala Lumpur and has a network of about 40 routes across the region, including to destinations in Indonesia, Thailand, India, Singapore and Australia with more than 800 flights weekly.
Chandran is set to step down as CEO on September 23, making way for Mushafiz Mustafa Bakri, who is currently director of safety, security and quality at Thai Lion Air in a power transfer unrelated to this incident.
Chandran will become strategic director for Lion Group, overseeing the development of the company’s five carriers.
The Post contacted several Malaysians whose details were published in the leak and they confirmed they had flown Malindo Air recently, although they had not been contacted by the airline.
Cyber law and technology lawyer Foong Cheng Leong said that companies in breach of Malaysia’s Personal Data Protection Act are not under any legal obligation to notify the authorities, the public, or the victim of the leak, although this lacuna is being reviewed.
“There is no data breach notification rule in Malaysia under this Act. However, there is of course a moral obligation on the part of the company to notify the subject and the public,” said Foong.
“Unfortunately in Malaysia these data breaches happen often, but if nobody knows about it nothing happens. During past breaches, there were some investigations but no prosecutions and no repercussions.”
In a statement released on Wednesday, Malindo Air admitted that “some personal data concerning our passengers hosted on a cloud-based environment may have been compromised”.
It said that an in-house team, along with external data service providers Amazon Web Services and e-commerce partner GoQuo, was investigating the breach.
The carrier also said that customer payment details were not stored in the affected servers, and that the airline was in the midst of notifying the various relevant authorities both locally and abroad, including national cybersecurity specialist agency CyberSecurity Malaysia.
ASEAN countries are a prime target for cyberattacks, according to global management consulting firm AT Kearney.
In a recent cybersecurity report, the consultancy said Malaysia, Indonesia and Vietnam were “global hotspots” for major blocked suspicious web activities at up to 3.5 times the standard ratio.
In 2017, Malaysia suffered a massive data breach where the information of millions of mobile service subscribers was leaked online. In July this year, popular beauty products retailer Sephora reported online accounts from residents of Hong Kong, Singapore and Malaysia were compromised by a data leak.
Singapore in particular, where Malindo Air’s servers are located, has been the target of a slew of data leaks.
In January, the confidential information of over 14,000 people diagnosed with HIV was leaked online.
In July 2018, the personal data of 1.5 million patients of SingHealth’s specialist clinics – including Prime Minister Lee Hsien Loong – was compromised.
In 2017, an insurance company’s online health portal was breached and the personal information of over 5,000 customers was stolen.
This article was first published in South China Morning Post.