A budget Asian airline group has revealed that two former employees of a third-party provider were responsible for a massive breach exposing around 35 million records.
The records — which contained names, dates of birth, phone numbers, emails, addresses, passport numbers and expiration dates — were spotted circulating on the dark web last month, although the breach only came to light last week.
They belonged to passengers of Malaysia’s Malindo Air and Thai Lion Air, which operate under parent group Lion Air.
Initial reports suggested a misconfigured Amazon Web Services (AWS) S3 bucket may have been to blame for the security incident, but AWS has since confirmed that its “services and infrastructure worked as designed and were not compromised in any way.”
Malindo Air yesterday clarified that two former workers at its e-commerce provider GoQuo in a development center in India “improperly accessed and stole the personal data of our customers.”
“Malindo Air has been working closely with all the relevant agencies including the Malaysian Personal Data Protection Commissioners and the National Cyber Security Agency (NACSA) as well as their counterparts overseas,” it added in a statement.
“Malindo Air wishes to reiterate that this incident is not related to the security of its data architecture or that of its cloud provider Amazon Web Services. All its systems are fully secured and none of the payment details of customers were compromised due to the malicious act.”
Robert Ramsden-Board, VP EMEA at Securonix, argued that detecting malicious insider behavior in the supply chain is extremely difficult.
“Organizations need to assess their suppliers’ cybersecurity, ensuring that they have appropriate measures in place to detect unauthorized activity by external and internal actors,” he added.
“They also need to properly vet all third-party suppliers before onboarding and establish boundaries on what a supplier can access with immediate alerts on any attempts to access or download off-limits or customer data.”