Malindo Air says passengers' personal data 'may have been compromised' in breach — and these are precautions to take

-A +A

KUALA LUMPUR (Sept 18): Personal data of Malindo Airways Sdn Bhd (Malindo Air) passengers that have been stored in a cloud-based environment "may have been compromised", the airline said in a statement today.

"Our in-house teams along with external data service provider, Amazon Web Services (AWS), and GoQuo, our e-commerce partner, are currently investigating this breach," it said.

The budget carrier said it has put in adequate measures to ensure that the data of its passengers are not compromised, in line with the Malaysian Personal Data Protection Act 2010.

"We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS)," it added.

The carrier said it was in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia, and is engaging with independent cybercrime consultants to investigate and report the incident.

"As a precautionary measure, we would advise passengers who have Malindo Miles accounts to change their passwords if identical passwords have been used on their other services online. We will continue to provide further updates through our website, mobile and social media platforms," it said.

The data leak was confirmed by Malindo Air's CEO Chandran Rama Murthy in a South China Morning Post report today.

It is estimated that the personal data of millions of passengers may have been compromised.

He said the company had learned about the leak last week and had reached out to the Malaysian Communications and Multimedia Commission yesterday.

The publication reported that personal data of passengers who flew with Thai Lion Air and Malindo Air — both subsidiaries of Indonesia's Lion Air — were released online by 'Spectre', which runs a darkweb site that publishes links to download leaked data and hacked databases.

The breach was discovered by Indian cybersecurity firm Technisanct while it was running a data safety operation for a client.