KUALA LUMPUR, Sept 18 — Malindo Air assured its customers today that no financially sensitive information was exposed in a massive data breach of the airline’s databases involving millions of accounts that have since been leaked online.
Malindo added that it has taken remedial steps to the incident and urged registered users to change their passwords as a precaution.
The airline said the measures were in line with the Malaysian Personal Data Protection Act 2010, adding that payment details of its customers were not stored on its servers and kept in compliance with the Payment Card Industry (PCI) Data Security Standard.
“As a precautionary measure, we would advise passengers who have Malindo Miles accounts to change their passwords if identical passwords have been used on their other services online.
“We will continue to provide further updates through our website, mobile and social media platforms,” it said in a statement here today.
The breach and leak was confirmed by Malindo Air chief executive Chandran Rama Muthy and first reported by South China Morning Post (SCMP) this morning.
The airline also confirmed that it was in the midst of notifying authorities including CyberSecurity Malaysia while engaging with independent cybercrime consultants to investigate the matter.
According to SCMP, the files ― titled “Passenger Details” or “Passengers” ― contained full names, home addresses, email addresses, dates of birth, phone numbers, passport numbers and expiration dates.
A total of four files ― two belonging to Malindo Airlines and two belonging to Thai Lion Air ― were dumped online by a figure known as “Spectre”, an operator of a Dark Web site about download links for leaked data.
SCMP reported that the data dump was shared on instant messaging service Telegram, as well as on cloud storage and file-hosting services such as mega.nz and openload.cc.
Batik Air, another Lion Air subsidiary based in Jakarta, Indonesia, is also reportedly affected.