March 3, 2021updated 19 Mar 2021 10:02am

Malaysia Airlines customer? You might suddenly reappear anywhere

By Ellen Daniel

Malaysia Airlines has alerted customers that it has suffered a long-running data leak spanning almost a decade. Individuals affected by the leak are at risk of having their identities duplicated and misused by cyber miscreants, among other things.

The data in question belongs to members of the airline’s frequent flyer programme Enrich. Malaysia Airlines emailed Enrich members to tell them about a “data security incident” at a third-party IT service provider involving personal data between March 2010 and June 2019. According to the airline, its own IT infrastructure was unaffected.

While details of the leakage are sparse, the airline said that the personal data affected included names, dates of birth, gender, contact details, frequent flyer numbers and frequent flier status. Payment card information, account passwords or reservation details were apparently not included.

The airline said that there was “no evidence that any personal data had been misused”. However, it is encouraging Enrich members to change account passwords.

Malaysia Airlines has not disclosed how many customers were affected by the breach, nor has it named the third-party IT supplier.

While the airline has not publicly addressed the incident, it replied to a customer’s tweet saying that it was “monitoring any suspicious activity concerning its members’ accounts and in constant contact with the affected IT service provider to secure Enrich members’ data and investigate the incident’s scope and causes”.

While the fact that passwords and payment details were not included in the breach reduces its severity, the leaked details are are very useful to cyber criminals. Affected Enrich members will now be more vulnerable to a range of cyber attacks including identity theft and phishing.

Analysts agreed that a data leak going unplugged for close to a decade was worrying, and that Malaysia Airlines needed to urgently find out where its customers’ data had gone.

“It is extremely concerning that a data security incident at one of the world’s major airlines has gone completely unnoticed for this length of time,” said Nikos Mantas, incident response expert at Obrela Security Industries. “Data security should be a priority for all organisations today and scanning for threats across all systems, both inhouse and third-party, is essential, especially when they hold confidential customer information. The most important thing for Malaysia Airlines to do now is communicate everything it knows about the attack to customers and shareholders and try to establish the full impact of how many customers were affected and what data was put at risk. Transparency is key in this situation.”

Frequent flyer programmes have been the target of cyber attacks on several occasions. Air India’s frequent flyer scheme was targeted in 2016, with hackers making off with air miles worth $23,745, and British Airways frequent-flyer accounts were accessed by hackers in 2015.

David Sygula, senior cybersecurity analyst at CybelAngel, said that the incident highlights the importance of ensuring that every organisation within a supply chain is secure:

“The Malaysia Airlines breach is further proof that addressing data breaches that occur outside the corporate firewall is vital to managing your third-party risk. As more organisations turn to cloud providers for everything from infrastructure to apps, to support employees, save money and enable digital transformation, they are expanding their attack surface exponentially.

“Organisations must constantly scan for leaked documents outside the enterprise perimeter, including connected storage, open databases, cloud applications and the Dark Web to uncover confidential and sensitive data quickly, before it is exploited.”


Read More: £183m BA data breach fine downgraded to £20m by ICO.


 

Verdict deals analysis methodology

This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: