[BreachExchange] Malindo Air confirms data breach, exposing millions of passengers’ personal data

[Destry Winant]

https://www.scmp.com/news/asia/southeast-asia/article/3027780/malindo-air-confirms-data-breach-exposing-millions

Subsidiaries of Indonesian low-cost airline Lion Air have suffered a
massive data breach, resulting in the information of millions of
passengers – including passport details, home addresses and phone
numbers – being leaked onto data exchange forums last month.
Malindo Air CEO Chandran Rama Muthy confirmed the leak, saying the
airline was in the middle of carrying out an investigation into the
matter and had already reached out to the Malaysian Communications and
Multimedia Commission (MCMC) on Tuesday.
“We found out about this breach last week. We and a third party vendor
are checking as we speak, and will come up with a statement soon. We
will advise passengers accordingly as per the investigation outcome,”
he told the South China Morning Post, adding that it was yet unknown
how many passengers’ details had been leaked.

Chandran said Malindo Air would also be hiring an independent
cybersecurity firm to do a full forensic analysis into the nature of
the leak. “This is a very serious offence.”
In the statement released later that day, Malindo Air admitted that
“some personal data concerning our passengers hosted on a cloud-based
environment may have been compromised”. It said that an in-house team,
along with external data service providers Amazon Web Services and
e-commerce partner GoQuo, was investigating the breach.
The carrier also said that customer payment details were not stored in
the affected servers, and that the airline was in the midst of
notifying the various relevant authorities both locally and abroad,
including national cybersecurity specialist agency CyberSecurity
Malaysia.
The files of passengers who flew with Thai Lion Air and Malindo Air,
subsidiaries of Lion Air, were uploaded and stored in an open Amazon
Web Services bucket, a public cloud storage resource.
The files – titled “Passenger Details” or “Passengers” – contain full
names, home addresses, email addresses, dates of birth, phone numbers,
passport numbers and expiration dates.
Four files, two belonging to Malindo Airlines and two belonging to
Thai Lion Air, were dumped online by a figure known as Spectre, who
operates a darkweb site that publishes download links for leaked data
and hacked databases.
There were also references to Batik Air, a third Lion Air subsidiary
based in Jakarta.
The data was dumped in groups on instant messaging service Telegram,
as well as on cloud storage and file-hosting services such as mega.nz
and openload.cc, which still contain an active link to these
databases.

Cybersecurity expert Nandakishore Harikumar’s team found the records
when monitoring these forums while running a data safety operation for
a client.
“While assessing a few of them we found that Spectre’s website had a
new dump which belonged to Malindo Airlines. We accessed the dump,
verified the data and understood that it contained sensitive
information. We assessed the severity and tried to understand where
all the data was on sale,” said Nandakishore, CEO of Indian
cybersecurity start-up Technisanct, adding that businesses had to take
necessary steps to secure sensitive and private information.
Although his company contacted Malindo Air “there was no response”.
Malindo Air – a Malaysian carrier – operates from two airports in
Kuala Lumpur and has a network of about 40 routes across the region,
including to destinations in Indonesia, Thailand, India, Singapore and
Australia with more than 800 flights weekly.

Chandran is set to step down as CEO on September 23, making way for
Mushafiz Mustafa Bakri, who is currently director of safety, security
and quality at Thai Lion Air in a power transfer unrelated to this
incident.
Chandran will become strategic director for Lion Group, overseeing the
development of the company’s five carriers.
The Post contacted several Malaysians whose details were published in
the leak and they confirmed they had flown Malindo Air recently,
although they had not been contacted by the airline.
Cyber law and technology lawyer Foong Cheng Leong said that companies
in breach of Malaysia’s Personal Data Protection Act are not under any
legal obligation to notify the authorities, the public, or the victim
of the leak, although this lacuna is being reviewed.
“There is no data breach notification rule in Malaysia under this Act.
However, there is of course a moral obligation on the part of the
company to notify the subject and the public,” said Foong.
“Unfortunately in Malaysia these data breaches happen often, but if
nobody knows about it nothing happens. During past breaches, there
were some investigations but no prosecutions and no repercussions.”
Asean countries are a prime target for cyberattacks, according to
global management consulting firm AT Kearney.
In a recent cybersecurity report, the consultancy said Malaysia,
Indonesia and Vietnam were “global hotspots” for major blocked
suspicious web activities at up to 3.5 times the standard ratio.

In 2017, Malaysia suffered a massive data breach where the information
of millions of mobile service subscribers was leaked online. In July
this year, popular beauty products retailer Sephora reported online
accounts from residents of Hong Kong, Singapore and Malaysia were
compromised by a data leak.
Singapore in particular, where Malindo Air’s servers are located, has
been the target of a slew of data leaks.
In January, the confidential information of over 14,000 people
diagnosed with HIV was leaked online.
In July 2018, the personal data of 1.5 million patients of
SingHealth’s specialist clinics - including Prime Minister Lee Hsien
Loong - was compromised.
In 2017, an insurance company’s online health portal was breached and
the personal information of over 5,000 customers was stolen.