Updated: Oct 20, 2019
"And another one bites the dust". Information is now the new currency of the data-hungry world.
Data breaches of airline passengers have now become a norm. Malindo Air is not the first company to be reported of such news and it will certainly not be the last.
Other top airlines such as the British Airways, Hong Kong’s Cathay Pacific Airways and Delta Airlines have suffered similar cases and are facing hefty penalties charges.
Other than airline companies; banks and hospitals will always be prime targets for cyber criminals. Hackers view such companies as a "harvesting pot" for information that is highly validated.
In the case of Malindo Air, CEO Chandran Rama Muthy confirmed that there was a data leak - apparently revealing passport numbers with expiry dates, home address, full names, email address and phone numbers. The company reported that no information of passengers’ banking details was stolen, as Malindo does not store any payment details.
While there may not be any news of payment data breachers, it is worth to note that cyber criminals adopts a cardinal rule of not revealing banking details to the public as such data are sold in the black market, known to many as the "dark web".
It was reported that on Sept 11 2019, a total of four (4) files consisting millions of passenger information from Malindo and Thai Lion Air were uploaded onto the Amazon Web Services cloud for public viewing by an anonymous figure known as "Spectre".
Malindo’s swift action to contain the breach did not give criminals enough time to craft phishing emails cause further reputation damage to the Malaysian-based subsidiary of Indonasia's PT Lion Mentari Airlines.
It was said that two former employees from a leading airline e-commerce service provider, GoQuo (M) Sdn Bhd at its development center in India, "improperly accessed and stole the personal data its customers".
Criminals can use such validated data to alter booking details or even chalk up ones own frequent flyer miles.
The authorities are currently investigating the case and the public is anxiously waiting to know the findings of this cyber incident.
The question now lies on who will be held responsible for the data breach. Under the Malaysian Personal Data Protection Act (PDPA) 2010, the law does not apply to stolen data outside of Malaysia boarders.
As the security landscape is constantly shifting and becoming more sophisticated, companies holding huge amounts of customer information would need to identify the "internal" risks and put in place stringent controls to reduce data breaches caused by third-party vendors misusing their user credentials.