Malaysia Airlines has alerted customers that it has suffered a long-running data leak spanning almost a decade. Individuals affected by the leak are at risk of having their identities duplicated and misused by cyber miscreants, among other things.

The data in question belongs to members of the airline’s frequent flyer programme Enrich. Malaysia Airlines emailed Enrich members to tell them about a “data security incident” at a third-party IT service provider involving personal data between March 2010 and June 2019. According to the airline, its own IT infrastructure was unaffected.

While details of the leakage are sparse, the airline said that the personal data affected included names, dates of birth, gender, contact details, frequent flyer numbers and frequent flier status. Payment card information, account passwords or reservation details were apparently not included.

The airline said that there was “no evidence that any personal data had been misused”. However, it is encouraging Enrich members to change account passwords.

Malaysia Airlines has not disclosed how many customers were affected by the breach, nor has it named the third-party IT supplier.

While the airline has not publicly addressed the incident, it replied to a customer’s tweet saying that it was “monitoring any suspicious activity concerning its members’ accounts and in constant contact with the affected IT service provider to secure Enrich members’ data and investigate the incident’s scope and causes”.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

While the fact that passwords and payment details were not included in the breach reduces its severity, the leaked details are are very useful to cyber criminals. Affected Enrich members will now be more vulnerable to a range of cyber attacks including identity theft and phishing.

Analysts agreed that a data leak going unplugged for close to a decade was worrying, and that Malaysia Airlines needed to urgently find out where its customers’ data had gone.

“It is extremely concerning that a data security incident at one of the world’s major airlines has gone completely unnoticed for this length of time,” said Nikos Mantas, incident response expert at Obrela Security Industries. “Data security should be a priority for all organisations today and scanning for threats across all systems, both inhouse and third-party, is essential, especially when they hold confidential customer information. The most important thing for Malaysia Airlines to do now is communicate everything it knows about the attack to customers and shareholders and try to establish the full impact of how many customers were affected and what data was put at risk. Transparency is key in this situation.”

Frequent flyer programmes have been the target of cyber attacks on several occasions. Air India’s frequent flyer scheme was targeted in 2016, with hackers making off with air miles worth $23,745, and British Airways frequent-flyer accounts were accessed by hackers in 2015.

David Sygula, senior cybersecurity analyst at CybelAngel, said that the incident highlights the importance of ensuring that every organisation within a supply chain is secure:

“The Malaysia Airlines breach is further proof that addressing data breaches that occur outside the corporate firewall is vital to managing your third-party risk. As more organisations turn to cloud providers for everything from infrastructure to apps, to support employees, save money and enable digital transformation, they are expanding their attack surface exponentially.

“Organisations must constantly scan for leaked documents outside the enterprise perimeter, including connected storage, open databases, cloud applications and the Dark Web to uncover confidential and sensitive data quickly, before it is exploited.”

Read More: £183m BA data breach fine downgraded to £20m by ICO.