Malindo Air confirms data breach, exposing millions of passengers’ personal data

Tashny Sukumaran

Subsidiaries of Indonesian low-cost airline Lion Air have suffered a massive data breach, resulting in the information of millions of passengers – including passport details, home addresses and phone numbers – being leaked onto data exchange forums last month.

Malindo Air CEO Chandran Rama Muthy confirmed the leak, saying the airline was in the middle of carrying out an investigation into the matter and had already reached out to the Malaysian Communications and Multimedia Commission (MCMC) on Tuesday.

“We found out about this breach last week. We and a third party vendor are checking as we speak, and will come up with a statement soon. We will advise passengers accordingly as per the investigation outcome,” he told the South China Morning Post, adding that it was yet unknown how many passengers’ details had been leaked.

Why does Indonesia have such a notorious air safety record?

Chandran said Malindo Air would also be hiring an independent cybersecurity firm to do a full forensic analysis into the nature of the leak. “This is a very serious offence.”

In the statement released later that day, Malindo Air admitted “some personal data concerning our passengers hosted on a cloud-based environment may have been compromised”. It said that an in-house team, along with external data service providers Amazon Web Services and e-commerce partner GoQuo, was investigating the breach.

The carrier also said customer payment details were not stored in the affected servers, and that the airline was in the midst of notifying the various relevant authorities both locally and abroad, including national cybersecurity specialist agency CyberSecurity Malaysia.

Lion Air Boeing 737-800 aircraft at the airport in Padang, Indonesia. Photo: AFP

On Thursday, Lion Air also confirmed it was investigating the breach.

The files of passengers who flew with Thai Lion Air and Malindo Air, subsidiaries of Lion Air, were uploaded and stored in an open Amazon Web Services bucket, a public cloud storage resource.

The files – titled “Passenger Details” or “Passengers” – contain full names, home addresses, email addresses, dates of birth, phone numbers, passport numbers and expiration dates.

Four files, two belonging to Malindo Airlines and two belonging to Thai Lion Air, were dumped online by a figure known as Spectre, who operates a darkweb site that publishes download links for leaked data and hacked databases.

There were also references to Batik Air, a third Lion Air subsidiary based in Jakarta.

The data was dumped in groups on instant messaging service Telegram, as well as on cloud storage and file-hosting services such as and, which still contain an active link to these databases.

Garuda sues YouTube reviewer for mocking handwritten in-flight menu

Cybersecurity expert Nandakishore Harikumar’s team found the records when monitoring these forums while running a data safety operation for a client.

“While assessing a few of them we found that Spectre’s website had a new dump which belonged to Malindo Airlines. We accessed the dump, verified the data and understood that it contained sensitive information. We assessed the severity and tried to understand where all the data was on sale,” said Nandakishore, CEO of Indian cybersecurity start-up Technisanct, adding that businesses had to take necessary steps to secure sensitive and private information.

Although his company contacted Malindo Air “there was no response”.

Malindo Air – a Malaysian carrier – operates from two airports in Kuala Lumpur and has a network of about 40 routes across the region, including to destinations in Indonesia, Thailand, India, Singapore and Australia with more than 800 flights weekly.

Personal data of 9.4 million passengers of Cathay and subsidiary leaked

Chandran is set to step down as CEO on September 23, making way for Mushafiz Mustafa Bakri, who is currently director of safety, security and quality at Thai Lion Air in a power transfer unrelated to this incident.

Chandran will become strategic director for Lion Group, overseeing the development of the company’s five carriers.

The Post contacted several Malaysians whose details were published in the leak and they confirmed they had flown Malindo Air recently, although they had not been contacted by the airline.

Fury and fear in Singapore after American man spills city’s HIV secrets

Cyber law and technology lawyer Foong Cheng Leong said that companies in breach of Malaysia’s Personal Data Protection Act are not under any legal obligation to notify the authorities, the public, or the victim of the leak, although this lacuna is being reviewed.

“There is no data breach notification rule in Malaysia under this Act. However, there is of course a moral obligation on the part of the company to notify the subject and the public,” said Foong.

“Unfortunately in Malaysia these data breaches happen often, but if nobody knows about it nothing happens. During past breaches, there were some investigations but no prosecutions and no repercussions.”

Asean countries are a prime target for cyberattacks, according to global management consulting firm AT Kearney.

In a recent cybersecurity report, the consultancy said Malaysia, Indonesia and Vietnam were “global hotspots” for major blocked suspicious web activities at up to 3.5 times the standard ratio.

Hack on Singapore’s health records likely carried out by state-linked group

In 2017, Malaysia suffered a massive data breach where the information of millions of mobile service subscribers was leaked online. In July this year, popular beauty products retailer Sephora reported online accounts from residents of Hong Kong, Singapore and Malaysia were compromised by a data leak.

Singapore in particular, where Malindo Air’s servers are located, has been the target of a slew of data leaks.

In January, the confidential information of over 14,000 people diagnosed with HIV was leaked online.

In July 2018, the personal data of 1.5 million patients of SingHealth’s specialist clinics - including Prime Minister Lee Hsien Loong - was compromised.

In 2017, an insurance company’s online health portal was breached and the personal information of over 5,000 customers was stolen.

Connect with us on Twitter and Facebook

More from South China Morning Post:

This article Malindo Air confirms data breach, exposing millions of passengers’ personal data first appeared on South China Morning Post

For the latest news from the South China Morning Post download our mobile app. Copyright 2019.