Malaysian airline Malindo Air has been taken to court for data breach incident, which occurred last year and saw the personal data of some of its passengers hosted on a cloud-based environment being compromised. The airline has also pleaded not guilty in its court charges in Malaysia under the Personal Data Protection Act 2010, and is challenging the authorities on the nature of the charges.
Malindo Air said in a press statement that it believes the charges against it are without merit and it intends to defend its position. The airline also affirms that it has always acted with the utmost professionalism in dealing with the data breach incident. The release added that Malindo Air has extended co-operation to all investigating agencies in Malaysia and 22 other international personal data protection authorities in countries that Malindo Air flies to.
Malindo Air said it has provided constant updates to all its passengers as well as all relevant authorities. All practical and reasonable steps had also been taken and put in place to ensure the protection of its customers’ personal data.It added that no payment or credit card details were leaked in the breach. Additionally, the airline said the court has also reprimanded the prosecution for one of the charges that was vaguely drafted, and then orally amended.
The data breach incident occurred in September 2019, and it was later found out that the breach was a result of two former employees of eCommerce services provider, GoQuo, improperly accessing and stealing the personal data of its customers. The two former employees are based in GoQuo’s development centre in India, and the airline reported the matter to the police in Malaysia and India. Malindo Air later confirmed that the data exposure has since been contained and all its systems are fully secured.
Additionally, Moscow-based cybersecurity firm Kaspersky denied producing a report last year on the data leak which affected Malindo Air and Thai Lion Air. The allegation that Malindo Air’s statement followed a report by Kaspersky about the airlines’ data breach and that Kaspersky had said part of the leaked databases, were up for sale on the dark web was reported by several media outlets such as Reuters and CNA. The Business Times, which re-published the news from Reuters, later updated the article with an amendment to reflect Kaspersky’s clarification.