Kochi firm uncovers Malindo Air data breach that exposed 30 mn fliers’ info

Malaysia-based Malindo is Lion Air subsidiary and has significant India presence

Malindo Air Representational image | Wikipedia Commons

Malaysia’s Malindo Air, which has a significant presence in India, on Wednesday admitted to a serious security breach that exposed information, including passport details, of about 30 million passengers. “Malindo Airways has come to be aware that some personal data concerning our passengers hosted on a cloud-based environment may have been compromised,” the airline stated, confirming the security breach. Malindo Air has advised its customers to change their passwords in the aftermath of the scare.

The incident came to light after an Indian cyber-security firm based in Kochi, Technisanct, brought it to the notice of Malindo Air. Technisanct CEO Nandakishore Harikumar stumbled across the data dump on September 2 as his team was running the company’s cyber-security tool, Integrite, for identifying threats for one of its clients.

On further probing, the team was able to confirm that four files, two each belonging to Malindo Air and Thai Lion Air, with data—including names, passport numbers, contact details with addresses and reservation IDs—were dumped by an actor named Spectre on cloud-based file sharing platforms mega.nz and openload.ac.

The same data was dumped on forums in Telegram, too. “After confirming internally on September 11, we tried reaching out to Malindo and its CEO Chandran Rama Muthy, but there was no further action until the media started reporting on it,” Harikumar told THE WEEK.

In fact, according to Harikumar, the dumped folders contained more files of Thai Lion Air than Malindo Air. He added that with the company admitting to the security breach, individual passengers were reaching out to him asking whether their accounts have been compromised.

Both Thai Lion Air and Malindo Air are subsidiary companies of Lion Air. Malindo Air has not responded to queries from THE WEEK at the time of publishing of this article.

“We are in the midst of notifying the various authorities, both locally and abroad, including CyberSecurity Malaysia. Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident,” the company stated on its website.

While Lion Air is headquartered in Indonesia, Malindo Air is based in Malaysian capital of Kuala Lumpur. Malindo Air flies to over 40 destinations, including India, Nepal, Indonesia, Thailand, Singapore, Sri Lanka, Australia and Pakistan, with more than 800 weekly flights.