This article first appeared in The Edge Financial Daily on September 24, 2019

KUALA LUMPUR: Malindo Air said yesterday a former employee of its e-commerce service provider was responsible for its recent passenger data breach.

The employee of GoQuo (M) Sdn Bhd at the firm’s development centre in India had “improperly accessed and stolen the personal data of our customers”, said the airline, adding that the matter had been reported to the police both in Malaysia and India.

“Malindo Air has been working closely with all the relevant agencies, including the Malaysian Personal Data Protection Commissioner and the National Cyber Security Agency as well as their counterparts overseas,” the airline said in a statement.

The data exposure has since been contained, it said, adding that the incident is not related to the security of its data architecture or that of its cloud provider Amazon Web Services.

“All its systems are fully secured and none of the payment details of customers were compromised due to the malicious act,” said Malindo Air.

As a forward proactive measure, the carrier said data forensics and cybersecurity experts had been brought in to review all its existing data infrastructure and processes.

Malindo Air chief executive officer Chandran Rama Muthy disclosed the data leak last Wednesday.

According to a report in the South China Morning Post following the disclosure, personal data of passengers who flew with Thai Lion Air and Malindo Air — both subsidiaries of Indonesia’s Lion Air — were released online by “Spectre”, which runs a Dark Web site that publishes links to download leaked data and hacked databases.

The breach was discovered by Indian cybersecurity firm Technisanct while it was running a data safety operation for a client.