#privacy: Breach hits tens of millions of Lion Air passengers

Passengers from two airline companies owned by Lion Air; Malindo Air and Thai Lion Air, have had their personal data compromised. 

At least 35 million records had been circulating online on data exchange forums due to an open Amazon bucket. The records were found in two databases, one with 21 million records which had included passenger IDs, reservation IDs, customer addresses, phone numbers and more. 

The second database had 14 million records which contained the names, dates of birth, phone numbers, passport numbers and passport expiration dates. 

Both databases had been published online by someone known as “Spectre” who runs a site on the darkweb that publishes download links for leaked data. 

Researcher Under The Breach published two samples of the two databases, making sure that the personal details of the passengers are hidden. 

It is suggested that a third Lion Air subsidiary, Batik Air, may have also been affected. 

In an official statement from Malindo Air, it was revealed that an investigation is currently being conducted by Amazon Web Services (AWS) and GoQuo. Malindo Air is also engaging with independent cybercrime consultants. 

“Malindo Air has put in adequate measures to ensure that the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS),” the statement said. 

“We are in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia. Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident.”

The company has urged passengers who have Malindo Miles accounts to change their passwords. 

Stephan Chenette, co-founder and CTO of Attack IQ commented: “Companies must do a better job at proactively securing sensitive data, starting with the basics and then building to more mature programs.

“To protect consumer data, organizations should employ continuous security validation tools to identify and prioritise gaps in security that need to be addressed first, and continuously assessing the viability of their security controls to make sure they are enabled, configured correctly and operating effectively at all times.”


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.