• Personal data belonging to customers of two airline companies owned by Lion Air has been found in an open AWS storage bucket on the web.
  • This data is believed to be circulating on data exchange forums for more than a month.

What happened?

The information left unsecured in online databases includes names, email addresses, phone numbers, physical addresses, passport numbers, passport expiration dates, dates of birth, and passenger and reservation IDs.

  • The customer records that belong mostly to Malindo Air and Thai Lion Air were created in May 2019. They were found in two databases with 14 million and 21 million records each.
  • The most recent backup is named ‘Payment Gateway’ and is dated May 25.
  • Additional backup names are reported to include a reference to the company’s loyalty program and the online booking service GoQuo.
  • An online researcher who goes by the name of ‘Under the Breach’ on Twitter posted samples of the databases after masking the personal information of customers.

Data leaked nearly a month ago

The exact date on when the data was made available on forums is not clear, but it has been observed that data exchange forums published the link to the open AWS bucket on August 10.

  • The data is believed to be dumped on Telegram, the messaging platform, and on services such as mega.nz and openload.cc, where an active link to the databases is still available.
  • Bleeping Computer reported that the data was offered on a data exchange community on August 12, and the bucket was secured in some time.

Official reactions

The breach was officially confirmed by Malindo Air CEO Chandran Rama Muthy, who said that the airline has initiated internal investigations and reached out to the Malaysian Communications and Multimedia Commission (MCMC) on Tuesday.

He told South China Morning Post, “We found out about this breach last week. We and a third party vendor are checking as we speak, and will come up with a statement soon. We will advise passengers accordingly as per the investigation outcome.”

He also said that the number of passengers whose data was compromised is still unknown. Chandran added that Malindo Air would be hiring an independent cybersecurity firm to analyze the nature of the leak.

Cyware Publisher