[BreachExchange] Malaysia Airlines discloses a nine-year-long data breach

Destry Winant destry at riskbasedsecurity.com
Thu Mar 4 11:02:09 EST 2021 

https://www.bleepingcomputer.com/news/security/malaysia-airlines-discloses-a-nine-year-long-data-breach/

Malaysia Airlines has suffered a data breach spanning nine years that
exposed the personal information of members in its Enrich frequent
flyer program.

Starting yesterday, Malaysia Airlines began emailing members of their
Enrich rewards program to disclose that they were affected by a data
breach.

Malaysia Airlines Enrich data breach notification

According to Malaysia Airlines, the breach occurred at a third-party
IT service provider who notified the airline that member data was
exposed between March 2010 and June 2019.

"Malaysia Airlines was notified of a data security incident at one of
its third-party IT service providers which involved some personal data
of members of Enrich, Malaysia Airlines' Frequent Flyer Programme
between the period of March 2010 and June 2019. The incident did not
affect Malaysia Airlines' own IT infrastructure and systems in any
way."

The member information exposed during the data breach includes member
names, contact information, date of birth, gender, frequent flyer
number, status. and rewards tier level.

The exposed data did not include Enrich member's itineraries,
reservations, ticketing, or any ID card or payment card information.

While Malaysia Airlines says that no passwords were exposed and there
is no evidence of misuse, the airline recommends that users change
their passwords anyway.

It is unknown how many Enrich members were affected by this breach.

BleepingComputer has contacted Malaysia Airlines with further
questions but has not heard back.

What should Malaysia Airlines Enrich program members do?

If you are a member of the Enrich program, you should immediately
login to your account and change your password. If this password is
utilized at other sites, it should be changed there as well.

Malaysia Airlines further warned that it would not be contacting
members about updating their information over the phone.

Therefore, if you receive a phone call from Malaysia Airlines about
this breach or asking for further information, you should be
immediately suspicious and hang up the call.

It is common for threat actors to use data found in data breaches to
perform malicious attacks, and all Enrich members should be wary of
emails, texts, and calls from the airline.

More information about the BreachExchange mailing list