Two rogue employees of Malaysian e-commerce services provider GoQuo have been identified as the culprits behind a security breach that compromised the personal data of Malindo Air and Thai Lion Air passengers. The Malaysian and Thai airlines are subsidiaries under Indonesia's low-cost carrier group, Lion Air.
The two former employees were based at GoQuo's development centre in India and "improperly accessed and stole" personal data of the airlines' customers, said Malindo Air in the latest of a series of statements regarding the breach. The carrier said it had reported the incident to the police in Malaysia as well as India.
Stressing that all its systems were "fully secured", it further noted that the data leak had been "contained" and reiterated that no payment details were compromised in the breach. It also initiated an auto-rest of all its customers' passwords.
Personal data compromised in the breach included the passenger's date of birth, passport number, and mobile number.
Malindo Air said the incident was "not related" to the security of its data infrastructure or that of its cloud provider, Amazon Web Services (AWS).
The Malaysian airliner said it was working with all relevant agencies regarding the breach, including the Malaysian Personal Data Protection Commissioners and National Cyber Security Agency.
Malindo Air said it had engaged data forensics and cybersecurity specialists to review its existing data infrastructure and processes.
The carrier did not say how many customers were impacted by the security breach, but various reports put the number between 21 million and 30 million, including Thai Lion Air passengers.
In a previous statement to ZDNet, an AWS spokesperson said its services and infrastructure "worked as designed and were not compromised in any way".
"Neither the use of cloud services nor the geographic location of the data had any bearing on the issue," it added, but declined to reveal where the AWS servers containing Malindo Air's data resided or whether the airline had given specific instructions on where its data should be stored.
Commenting on the breach, HackerOne's IT head Aaron Zander said: "Leaving a server exposed without any protection is one of the most basic and embarrassing security failings, but these breaches still continue to happen across the board. When it comes to securing the data of ever more informed consumers, the basics of security need to be covered at a minimum.
"When moving such data to a cloud environment, maintaining an understanding who is accessing what and when is key so the risk of unauthorised access is minimised.
"Modern engineering teams have many people who can improve on your infrastructure and security, but equally as many people can make a mistake. Continued testing and checks help keep everyone's data safe, especially your customers."
AWS says servers secure following Malindo Air data breach
Amazon Web Services says servers containing customer information belonging to the Malaysian airline are secured, following a breach that compromised personal data of 21 million passengers, including that of Malindo's sister company, Thai Lion Air.
Lack of collaboration, disclosure affecting APAC security posture
Threat actors are collaborating more effectively than legit businesses in the region, which aren't sharing enough intelligence with others in the industry, says Microsoft Asia CSO.
Cyberattacks can cost APAC healthcare firms $23.3M
Healthcare organisations in Asia-Pacific can incur economic losses of up to US$23.3 million from cybersecurity incidents, though, 45% have either experienced or are not even sure if they have experienced a cyber attack.
APAC consumers have little trust in digital services
Just 31% of Asian consumers believe their personal data will be managed in a trustworthy way by businesses offering digital services, with 40% revealing their trust has been compromised whilst using such services.
One in four APAC firms not sure if they suffered security breach
A quarter of Asia-Pacific companies have experienced a security incident, while 27% aren't even sure because they haven't conducted any data breach assessment--even as the region is estimated to have lost US$1.75 trillion last year due to cyber attacks.