Malaysia Airlines suffers data security 'incident' affecting frequent flyer members

Security breach compromises personal data of the airline's frequent flyer programme Enrich, including members' contact details and date of birth registered between March 2010 and June 2019, and reportedly involved a third-party IT service provider.

[Editor's note: SITA, the third-party IT service provider involved in this breach, has since clarified that the March 2010 to June 2019 timeframe reported here referred to the date during which the compromised data was registered. It did not refer to the length of the window of compromise as previously suggested, which SITA now has revealed to be less than a month. This article has been updated to reflect the clarification.] 

Malaysia Airlines has suffered a data security "incident" that compromised personal information belonging to members of its frequent flyer programme, Enrich. It says the breach originated from a third-party IT service provider.

The airline had sent out an emailer to Enrich members this week, stating it was notified of a "data security incident" at the third-party IT supplier. The breach involved "some personal data" registered between March 2010 and June 2019, with details that included members' name, date of birth, contact information, and various frequent flyer data such as number, status, and tier level. 

APAC consumers want IoT devices, but fear data leaks

Majority of consumers in Asia-Pacific already own at least one Internet of Things (IoT) device and plan to buy more, but 81 percent fear their personal data is being leaked and 71 percent worry about being monitored without their consent.

Read More

Travel data such as itineraries, reservations, ticketing, and ID card, as well as payment details were not compromised, according to Malaysia Airlines. Its own IT infrastructure or systems also were not affected, the carrier said.  

It noted that there was "no evidence" any personal data had been misused and the breach did not expose any account passwords, though, it urged Enrich members to change their passwords as a precaution. The airline also directed customers to pose any queries they might have directly via email to its data privacy officer. 

At press time, Malaysia Airlines had yet to make a public statement on the security breach or post a notice on its website. It did, however, appear to confirm the incident on Twitter in its replies to customers. 

In one of several such responses, the national carrier said: "The data security incident occurred at our third-party IT service provider and not Malaysia Airlines' computer systems. However, the airline is monitoring any suspicious activity concerning its members' accounts and in constant contact with the affected IT service provider to secure Enrich members' data and investigate the incident's scope and causes."

It reiterated its stance that there was no indication the breach impacted any account passwords, but advised members to change their passwords as a precautionary measure. 

The airline just in January had announced plans to introduce a fare-based earning programme and new tier qualification framework for Enrich, slated to commence in April 2021. 

Singapore telco Singtel also recently suffered a data security breach that involved a third-party IT vendor, which file-sharing system had contained vulnerabilities that were unsuccessfully patched. 

RELATED COVERAGE