AWS servers 'secure' following Malindo Air data breach

Amazon Web Services servers containing customer information belonging to the Malaysian airline are secured, according to a Malindo Air statement released after a breach that compromised personal data of 21 million passengers, including that of Malindo's sister company, Thai Lion Air.
Written by Eileen Yu, Senior Contributing Editor

All Amazon Web Services (AWS) servers containing data of Malindo Air customers are secured "with no further vulnerabilities", and no payment details leaked, according to a statement from the airline, which cites AWS Singapore. This confirmation follows a reported security breach that compromised personal data of 21 million passengers including that of Malindo's sister company, Thai Lion Air. 

Forensic and data consultants also had been appointed to assess the overall data security infrastructure, focusing on passenger data protection across all platforms, said Malindo Air in a statement Thursday. In addition, it said remedial measures involving the notification of financial institutions, the police, and other relevant authorities had been established.

The airline reminded customers to be mindful of suspicious or unsolicited calls as well as email messages asking for verification of their personal data. 

The Malaysian carrier's announcement followed a previous statement confirming that data of its customers that were hosted on AWS' cloud platform might have been compromised. The cloud vendor, alongside Malindo Air's e-commerce vendor GoQuo, had begun investigating the breach.  

An AWS spokesperson sent ZDNet this statement regarding the incident: "While we can't get into details regarding a customer issue, it is important to clarify that AWS services and infrastructure worked as designed and were not compromised in any way. Neither the use of cloud services nor the geographic location of the data had any bearing on the issue."

When asked why then was the data bucket unsecured, since it said its infrastructure "worked as designed", the spokesperson declined to comment, citing it was unable to discuss details concerning a customer issue. 

And despite its mention of the server location, the US cloud vendor also refused to confirm where the AWS servers containing Malindo Air's data resided or whether the airline had given specific instructions on where its data should be stored. AWS also declined to comment on how the security incident was remedied. 

On its part, Malindo Air said it had put in place "adequate measures" that complied with Malaysia's Personal Data Protection Act to ensure its customer data were not compromised. The airline added that it did not store any payment details of on its servers and were compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).

Members of Malindo Air's frequent flyer programme were further advised to change their passwords if they had used similar passwords on other online services.

Check Point Software Technologies's Asia-Pacific head of cloud security, Michael Petit, said in a note: "Data stored in cloud services like AWS S3 buckets are only as secure as their security configuration settings. Cloud services are convenient, but require proper configuration for the best security possible within the confines of such technologies. 

"Companies may have hundreds, thousands or even millions of S3 buckets or similar cloud data storage on other competing platforms. With such complexity of data storage in the cloud, it is imperative for companies to persistently audit and correct misconfigurations, as cloud services may also change their settings occasionally," Petit noted. "This is a necessarily laborious and time-consuming process for companies."

According to Check Point, personal data compromised in the breach included the passenger's date of birth, passport number, and mobile number.

Both Malindo Air and Thai Lion Air are subsidiaries under Indonesia's low-cost carrier group, Lion Air.


Lack of collaboration, disclosure affecting APAC security posture

Threat actors are collaborating more effectively than legit businesses in the region, which aren't sharing enough intelligence with others in the industry, says Microsoft Asia CSO.

Cyberattacks can cost APAC healthcare firms $23.3M

Healthcare organisations in Asia-Pacific can incur economic losses of up to US$23.3 million from cybersecurity incidents, though, 45% have either experienced or are not even sure if they have experienced a cyber attack.

APAC consumers have little trust in digital services

Just 31% of Asian consumers believe their personal data will be managed in a trustworthy way by businesses offering digital services, with 40% revealing their trust has been compromised whilst using such services.

One in four APAC firms not sure if they suffered security breach

A quarter of Asia-Pacific companies have experienced a security incident, while 27 percent aren't even sure because they haven't conducted any data breach assessment--even as the region is estimated to have lost US$1.75 trillion last year due to cyberattacks.

APAC firms look to edge for faster response but worry over data security

Edge computing is being sought out for faster response and cost savings, but there are concerns about security and latency when large volumes of data are processed on such platforms.

Editorial standards