[BreachExchange] Passport data of 30 million Malindo and Lion Air customers leaked: here’s what we know

Destry Winant destry at riskbasedsecurity.com
Thu Sep 19 10:23:16 EDT 2019


A cybercrime Twitter channel detected on Sept 11 that the passport
details of 30 million Lion Air passengers was available on the Dark

On Wednesday (Sept 18), Lion Group subsidiaries Malindo Airlines and
Thai Lion Air admitted that customers’ data had been compromised.

The leaked data was stored in a public cloud storage system created by
Amazon Web Services, Malindo Air said.

Both airlines said they did not store payment details on their servers.

Two airlines have confirmed a leak of sensitive passenger data seven
days after a cybercrime Twitter channel, named Under The Breach,
detected it being shared and sold online.

The channel found that two directories of backup files for Malindo
Air, Thai Lion Air and Batik Air containing over 30 million records of
passport details, addresses and phone numbers had been posted by a
hacker on the Dark Web.

All three are subsidiaries of Indonesia’s Lion Group.

The information which was created in May, began circulating on
multiple online forums as early as August 10, according to a report by
Bleeping Computer, a cybercrime site.

It added that file names included references to Lion Air’s loyalty
reward program and online booking service GoQuo.

On Wednesday (Sept 18), Thai Lion Air issued a statement on Facebook
that it was aware of a data breach.

It clarified that it had not stored customers’ payment details on
servers, and promised to “increase preventative measures” to protect
customers’ data better in the future.

Malaysia’s Malindo Air also released a statement that had notified
Malaysian and international authorities of the data breach.

The leaked data was stored in a public cloud storage system created by
Amazon Web Services, an external data service provider, Malindo Air

It added that it was working with Amazon and GoQuo to investigate.

The airline also assured customers that it did not store customers’
payment details on its servers, but advised those with frequent flyer
accounts to change their passwords.

The Straits Times reported that the airline declined to say how many
customers had been affected by the breach.

Batik Air did not release any statements about the data breach.

More information about the BreachExchange mailing list