Malindo Air, a subsidiary of Indonesian low-cost airline Lion Air, has confirmed it suffered a data breach, which saw millions of passenger details posted on data exchange forums for over a month before its was disclosed.
The compromised records include passport details, home addresses and phone numbers, as well as flight details.
In early September, security researchers spotted that 30 million records from Malindo Air, as well as fellow Lion Air subsidiary Thai Lion Air, were posted on online forums. The files appear to have been left on a publically available online server.
Independent security researcher @UnderTheBreach told Verdict the files were originally dumped on an online data exchange forum on 12 August. Access was then revoked before the databases popped up again on another thread on the same forum.
Users in the forum can be seen discussing the database:
“Hi mate, is there client data? Can you put a sample of record of client? Thanks,” writes one. “Good job [sic] nice data” writes another.
The databases were posted again on the 10 September and again on the 17 September.
“We assume the person who opened the thread must have gained the files from the AWS [bucket] and spread through the network using the information in the files,” Under The Breach told Verdict.
In the 10 September post, seen by Verdict, the poster claims the database includes the following data:
“PassengerDetailsID, PassengerID, ReservationID, Address1, Address2, City, County, Postcode, CountryName, Fax, Telephone, Email, EmergContact_Title, EmergContact_FirstName, EmergContact_SurName, EmergContact_Relationship, EmergContact_AreaCode, EmergContact_Telephone, IsSendSMS and BusinessContactNo.”
Servers “fully secured”
In a statement yesterday, Malindo Air confirmed the breach and said that all its servers are now “fully secured with no further vulnerabilities”.
The airline also said that no payment details were compromised and that they have since brought in an independent cybersecurity firm to investigate.
Lion Group and Thai Lion Air have yet to release a statement on the data breach. Verdict has reached out for comment.
The data breach appears to stem from the files being left on an open AWS S3 webserver – a problem that has resulted in countless data breaches in recent years.
These data buckets, commonly used by enterprises, are private by default. This means companies – or an associated third party – would have to actively make the files public, ignoring safeguards along the way.
Lion Air data breach: Leaky buckets strike again
“It’s likely that hundreds of thousands of companies have the same cybersecurity issue as Lion Air,” said Roger Grimes, data-driven defence evangelist at cybersecurity awareness firm KnowBe4.
“Lion Air is just the latest one making the news. One of the biggest weaknesses at nearly every company and in every network is that of overly permissive permissions.
“It’s always been a problem, but before the cloud, only already-trusted insiders could take advantage of the security misconfigurations and only a minuscule percentage of employees were motivated to go looking.”
He added that in today’s “public cloud-centric world” giving too many permissions to users can be easily exploited by attackers.
“The problem is much bigger than anyone is talking about,” he said.
“Stark reminder” for airlines
The wealth of valuable personal data makes airlines a particularly attractive target for cybercriminals. In 2018, malicious hackers stole the payment details of some 380,000 British Airways customers, leading to a £183m fine.
Tony Pepper, CEO of data security software company Egress, said that Lion Air data breach was a “stark reminder” to airlines of the importance of protecting customer data.
“Both accidental and malicious data breaches caused by employees can have far-reaching consequences for organisations and their customers,” he said.
“It’s important for citizens who suspect their details may have been compromised in this incident to be extra vigilant going forward, as their information may be used in future cyber-attacks.”