As per reports, Malindo Air which is the subsidiary of Indonesia's Lion Air Group has said today that two ex-employees of its e-commerce contractor are responsible for its passenger data breach. Previously, Moscow-based cybersecurity firm Kaspersky had raised alarm for Lion Air users in Malaysia and Thailand. Malindo air also had advised its customers to change passwords and other credentials as a precautionary measure.
According to reports, Kaspersky has revealed that it had sent an alert on September 13 within two days after the data breach was announced publicly. The cybersecurity firm in its alert had states that personal credentials of around 46 million passengers of Malindo and Thai Lion Air, another Group subsidiary was posted online. Kaspersky further said that some parts of the leaked database and archives were up for sale and purchase.
Reportedly, in a statement, Malindo Air revealed that two ex-employees of the e-commerce service provider GoQuo (M) Sdn Bhd based with one of its development centre in India mistakenly accessed and stole personal data of their customers. Malindo has not mentioned the name of two former GoQuo employees. Malindo Air, reportedly, said that data breach was restrained and the issue was highlighted to the Malaysian and Indian police. The airline further said that breach was not associated with security of cloud services provider Amazon Web services data framework and that payment information was not trampled with. Malindo Air also said the breach was not related to the security of cloud service provider Amazon Web Services’ data architecture, and none of the payment details of customers were compromised.
On September 18, Airline had revealed a data breach in a press release .
Malindo Airways Sdn Bhd has come to be aware that some personal data concerning our passengers hosted on a cloud-based environment may have been compromised. Our in house teams along with external data service providers, Amazon Web Services (AWS) and GoQuo, our e-commerce partner are currently investigating into this breach. Malindo Air has put-in adequate measures to ensure that the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).
(With inputs from Agencies)