Malindo Air and Thai Lion Air, subsidiaries of Lion Group of Indonesia, have both experienced data security incident that have exposed information of 46 million passengers on the dark web.
Malindo Air has sent out emails to affected passengers (all) blaming two employees at their Indian subcontractor for the theft.
Here’s copy of the email that Malindo has sent out:
Thank you for your continued support towards Malindo Air.
Further to our updates on the data breach, we would like to advise that the data exposure has since been contained.
As a result of the findings, two former employees of our e-commerce services provider, GoQuo (M) Sdn Bhd in their development centre in India had improperly accessed and stole the personal data of our customers. The matter has been reported to the police both in Malaysia and India.
Malindo Air has been working closely with all the relevant agencies including the Malaysian Personal Data Protection Commissioners and the National Cyber Security Agency (NACSA) as well as their counterparts overseas.
We wish to reiterate that this incident is not related to the security of our data architecture or that of our cloud provider Amazon Web Services. All Malindo Air’s systems are fully secured and none of the payment details of customers were compromised due to the malicious act.
As a forward proactive measure, data forensics and cyber security experts have been brought in to review all our existing data infrastructure and processes.
We have also initiated auto-reset of all customer passwords and would like to caution our customers to be wary of any suspicious and unsolicited calls and/or emails.
Please feel free to reach out to firstname.lastname@example.org if any further assistance is required.
This is the first email that Malindo Air sent out to their passengers, although the email implies otherwise. Do they have an issues with their email providers too?
The airline assures that no payment information has been leaked. Not sure how couple subcontractor employees can just download entire passenger databases of these two airlines without anyone noticing? Astounding level of incompetence.