Malindo Airlines Passenger Data Breached

Another day, another breach. This time the victim is Malindo Air, a subsidiary of Indonesia's Lion Group. According to various news reports, the airline was investigating a data breach involving the personal details of its passengers. The airline also released a statement confirming the breach.

“Malindo Airways Sdn Bhd has come to be aware that some personal data concerning our passengers hosted on a cloud-based environment may have been compromised. Our in house teams, along with external data service providers, Amazon Web Services (AWS) and GoQuo, our e-commerce partner are currently investigating into this breach.”

What comes to our mind following this statement was how cybercriminals were able to breach data that was stored on AWS, a renowned cloud service provider. CyberSecurity Asean have reached out to AWS for comments and are still waiting for their replies.
It also made us ponder the cybersecurity measures taken by the airlines. Airlines are common targets for cybercriminals with Cathay Pacific and British Airways facing similar data breaches on passenger information quite some time ago.

The statement also mentioned that Malindo Air has adequate measures to ensure that the data of its passengers are not compromised in line with the Malaysian Personal Data Protection Act 2010. The airline stated that is does not store any payment details of customers in their servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).

Apart from engaging with the authorities regarding the breach, Malindo Air is also enlisting independent cybercrime consultants to investigate and report into this incident. The airline also advised passengers with Malindo Miles accounts to change their passwords if identical passwords have been used on their other services online.

According to a report on South China Morning Post, the files of passengers who flew with Thai Lion Air and Malindo Air, subsidiaries of Lion Air, were uploaded and stored in an open Amazon Web Services bucket, a public cloud storage resource.

The news report stated that files, titled “Passenger Details” or “Passengers” contain full names, home addresses, email addresses, dates of birth, phone numbers, passport numbers and expiration dates. Four files, two belonging to Malindo Airlines and two belonging to Thai Lion Air, were dumped online by a figure known as Spectre, who operates a dark web site that publishes download links for leaked data and hacked databases.

The report also stated that the data was dumped in groups on instant messaging service Telegram, as well as on cloud storage and file-hosting services such as mega.nz and openload.cc, which still prese an active link to these databases.
Cybersecurity provider Kaspersky released a statement saying they never produced any report or any other specific intelligence on the Lion Group airlines data leak.

“On September 13, two days after information about the Malindo Air and Thai Lion Air data breach went public, we sent an alert to our Kaspersky Security Cloud users in Thailand and Malaysia. The alert notified them of the breach and asked them to treat incoming emails, text messages, and calls with additional caution. This was done via Security News - the in-product component used to rapidly inform our users about important cybersecurity-related news emerging in the public domain. Kaspersky has never produced a report or any other specific intelligence on the Lion Group airlines data leak. The information was earlier reported by Under the Breach twitter channel.”

Meanwhile, CSA reached out to Michael Petit, Head of Cloud Security, Asia Pacific & Japan, Check Point Software Technologies to get his comments and views on the issue.

"Data stored in cloud services like Amazon Web Services (AWS) S3 buckets are only as secure as their security configuration settings. Cloud services are convenient but require proper configuration for the best security possible within the confines of such technologies. Companies may have hundreds, thousands or even millions of S3 buckets or similar cloud data storage on other competing platforms.”

He explained with such complexity of data storage in the cloud, it is imperative for companies to persistently audit and correct misconfigurations, as cloud services may also change their settings occasionally. This is a necessarily laborious and time-consuming process for companies. Companies can also tap on more automated cybersecurity solutions that may help to alleviate human errors in configuration, and help to actively enforce cybersecurity best practices, and reduce identity theft and data loss in the cloud.

CSA also reached out to Michael Sentonas, Vice President, Technology Strategy, CrowdStrike. He pointed out that Malindo or any company that has been a victim of a breach would now have to rebuild their security network. The call for responses would be to identify what they’ve lost and build a a better security ecosystem.

You might also like
Most comment
share us your thought

8 Comments Log in or register to post comments

viola.semechkova@mail.ru's picture

удмарк WOODMARK TM российское производство инженерной доски, полного цикла, использует качественный кавказский дуб для изготовления качественного напольного покрытия - инженерная доска - под одноименным брендом Вудмарк WOODMARK [url=http://parketmark.ru/magazin/folder/inzhenernaya-doska-1]http://parketmark.ru/magazin/folder/inzhenernaya-doska-1[/url] Специалисты называют декинг материалом нового поколения, отличающимся высокими техническими параметрами и превосходным внешним видом. Благодаря этому сегодня террасная доска ДПК завоевала доверие многих потребителей.
natsv2012@mail.ru's picture

Группа компаний Pro-vision занимается поставками промышленного оборудования и запасных частей от ведущих мировых производителей на заказ для различных отраслей промышленности. [url=https://provision-group.ru/2015/03/06/distribyutory-murzan/]https://provision-group.ru/2015/03/06/distribyutory-murzan/[/url] Машина получила английское название «Flow pack» из-за технических особенностей: можно перевести как «упаковка потока».
nelrok14@mail.ru's picture

Невозможность попасть в собственное жилье, офис или иное помещение ввиду потери ключа, его кражи, заклинивания замка или захлопывания двери – не такое уж редкое явление. [url=https://srz.su/remont/]https://srz.su/remont/[/url] Особенные трудности для неподготовленных людей создают дверные конструкции повышенной взломостойкости. Наши специалисты обладают десятилетним опытом работы, поэтому успешно решают проблему любой сложности.
tanya.nedeltsova@mail.ru's picture

Фасовочно упаковочный автомат оснащен однопоточным весовым дозатором и предназначен для дозирования сыпучих, непылящих продуктов в трехшовный пакет, формируемый из рулона пленки. [url=http://upakovchik.ru/equipment/linii-rozliva]http://upakovchik.ru/equipment/linii-rozliva[/url] Машины обеспечивают герметичность упаковки, что позволяет хранить товары и продукты длительный срок.
shilodima88@gmail.com's picture

На сайте [url=https://allergolog1.ru/]https://allergolog1.ru/[/url] статьи и инструкции о том, как справиться с любыми типами аллергии.
derekpoole063@gmail.com's picture

The capacity to install an online casino on a smartphone makes the gaming system more comfortable and does not unite the speculator to a stationary computer, and special PC programs get ready for a secure Internet connection. Gamblers are happy to use such software to access gambling relaxation, so operators put on the market them functioning applications in place of smartphones and PCs. On this recto we attired in b be committed to unperturbed the best casino apps after Android with a real boodle game. Varied operators present autonomous download of online casinos an eye to Android [url="https://casinoapk4.xyz"]Casino Apk[/url] with a view legal pelf with withdrawal to electronic wallets or bank cards. Ambulant casinos are being developed in compensation the convenience of customers and attracting a larger audience. Such applications enjoy a swarm of undeniable advantages: Access to the casino from anywhere where there is Wi-Fi or plastic Internet. At the changeless all at once, applications do not pilfer up much lacuna in the device's memory. The functionality corresponds to the desktop conception of the resource: you can arouse bonuses, participate in tournaments, ass in your account, play opening machines in search legal tender in the relevance with the withdrawal of winnings, etc. End-to-end registration. There is no have need of to additionally cash register from your phone if you acquire an powerful account. For free demos. Gamblers can launch any video job or gaming-table tournament in a gratuitous grief mode. The on the contrary liability of the version adapted object of pocket devices may be the lack of some titles in the presented collection. The mobile application of an online casino with niche machines to go to playing to save medium of exchange gives access barely to slots in HTML5 format, but so clearly not all providers have redesigned their portfolios in accordance with this requirement. Manner, the largest manufacturers own been producing groove machines for the benefit of certain years captivating into account additional standards and remaking dilapidated titles instead of them, which are notably popular expanse gamblers. To boot, providers settle into account the features of handy devices when creating games. A special interface and odd modes of make use of are being developed for them. In favour of example, Wazdan offers a feature that increases the battery economy of the appliance by 40%, and Ultra Lite technology, which preserves the counterpart je sais quoi and download promptness with a past it Internet connection. Place machines on the phone have no more than a start button and a venture level control. The gaming interface on a small screen is slight modified compared to the desktop variation, so it is certainly useful to play in the casino application in the service of long green from your phone, direct slots and groove machines. The biggest menu is occult in drop-down windows, and links to the main sections are immobilized at the cut off or bottom of the screen. Also, the online converse term button after contacting applied keep specialists is always in sight. Since the Google Court and AppStore digital parcelling services inflict defined restrictions on gambling programs, you can download the casino dedication to your phone against playing material take from the proper website. To download, you choice call a together to the apk complete and the user's permission to position and rove the program. Now operators transmit exhaustive connection instructions on the page with a link, and if there are difficulties, the customer can again consult with the character service. Some licensed casinos also submit clients programs in favour of intimate computers and laptops. You can [url="https://casinoapk4.xyz/"]Casino App[/url] them from the official website. Such software is stock due to speedy uninterrupted access to games from the desktop without using a browser.
beticuto1987@mailis.xyz's picture

[url=https://www.alkraft.ru/production/fireproofdoor]купить люки под плитку[/url] или [url=https://www.alkraft.ru/production/metallicheskaya-dverca-s-zamkom]купить сантехнический люк[/url] https://www.alkraft.ru/production/metallicheskaya-dverca-nazhimnaya
openapot1834@mailis.xyz's picture

[url=https://www.alkraft.ru/production/santehnik]ревизионные люки оптом[/url] или [url=https://www.alkraft.ru/production/master-s]люки под покраску от производителя[/url] https://www.alkraft.ru/production/inzhener