Malindo Air said the recent data breach was a result of two former employees of eCommerce services provider, GoQuo, improperly accessing and stealing the personal data of its customers. The two former employees are based in GoQuo's development centre in India, and the airline said it has reported the matter to the police in Malaysia and India.
Meanwhile, Malindo Air confirmed that the data exposure has since been contained. "All its systems are fully secured and none of the payment details of customers were compromised due to the malicious act," the statement added. The airline said last week that the personal data of some of its passengers, which were hosted on a cloud-based environment, was compromised. It added that it was working with GoQuo and Amazon Web Services to investigate the matter, and that adequate measures have been put in place to ensure that the data of its passengers is not compromised.
Malindo Air wishes to reiterate that this incident is not related to the security of its data architecture or that of its cloud provider Amazon Web Services.
The airline said it has been working closely with all the relevant agencies including the Malaysian Personal Data Protection Commissioners and the National Cyber Security Agency as well as its counterparts overseas. As a forward proactive measure, Malindo Air said data forensics and cyber security experts have been brought in to review all the airline’s existing data infrastructure and processes. At the same time, the airline also initiated auto-reset of all customer passwords and cautioned customers to be wary of any suspicious and unsolicited calls and emails.
Separately, Moscow-based cybersecurity firm Kaspersky recently denied producing a report on the recent Lion Group data leak, which affected Malindo Air and Thai Lion Air. The allegation that Malindo Air’s statement followed a report by Kaspersky about the airlines’ data breach and that Kaspersky had said part of the leaked databases were up for sale on the dark web was reported by several media outlets such as Reuters and CNA. The Business Times, which has re-published the news from Reuters, has since updated the article with an amendment to reflect Kaspersky’s clarification.
[Digital Marketing Asia Conference 2019 in Singapore is back! Join us on 8-9 October as we hear from experienced practitioners and thought-leaders on how they are managing complex digital transitions and reimagining new ways for their marketing to become more customer focused, agile and interactive. Book your seats today.]