Two former contractors were responsible for the Malindo Air data breach in which millions of passenger details were posted on underground forums, the Malaysian airline has said.
Malindo Air, a subsidiary of Indonesian low-cost airline Lion Air, said that it has reported the incident to police in Malaysia and India.
In a statement, the airline said two former employees of its e-commerce services provider, GoQuo, were behind the “malicious act”.
According to GoQuo’s website, the travel booking company also counts Etihad Airways and Bangkok Airways – as well as 18 other airlines – among its customers.
Verdict asked GoQuo whether the former employees compromised the passenger data belonging to any of GoQuo’s other customers. In a statement to Verdict, a GoQuo spokesperson said:
“Security and data integrity are a high priority to GoQuo. Each product has a standalone database to ensure segregation of client information.
“Recent news about a breach of passenger data on one of our products is being investigated by the police and relevant cybersecurity agencies in Malaysia and India. We cannot comment further about the identities of the alleged perpetrators until the relevant authorities have concluded their investigations. In the meantime, GoQuo has lent its fullest support to all investigations and continues to provide uninterrupted service to all current and future clients.
“We wish to reiterate that the investigations are ongoing and are unable to further comment. What we can confirm is that none of our current employees are involved and the integrity of our systems are intact.”
Malindo Air data breach highlights supply chain risk
The huge database of passenger records, which included passport details, home addresses and phone numbers, was first posted on data exchange forums on 12 August.
The Malindo Air database, as well as one reportedly containing passenger details from fellow Lion Air subsidiary Thai Lion Air, then bounced around online forums for just over a month as it was repeatedly taken down.
It was initially thought that the breach stemmed from an online server that had been left unsecured.
However, Malindo Air today stressed that the data breach was solely down to the actions of GoQuo’s former employees and “is not related to the security of its data architecture or that of its cloud provider Amazon Web Services”.
Instead, the Malindo Air data breach highlights the risk that can come with working with third parties.
“Effectively securing your supply chain can be a challenging task. Third-parties often have legitimate access to systems and data,” said Robert Ramsden-Board, VP EMEA at cybersecurity firm Securonix.
“In this instance, a third party had access to Malindo Air systems, and employees abused this trust to access data for malicious intent. Detecting malicious insiders at third-parties is an almost impossible task and organisations often only notice once the damage has already been done.”
Ramsden-Board advised organisations to assess the cybersecurity of their suppliers and to “properly vet all third-party suppliers before onboarding and establish boundaries on what a supplier can access with immediate alerts on any attempts to access or download off-limits or customer data”.