THE personal data of millions of passengers have been leaked in a massive data breach that the hit Indonesia low-cost airline Lion Air and its subsidiaries, including Malindo Air, the South China Morning Post reports.

The data includes passport details, home addresses and phone numbers.

Malindo Air CEO Chandran Rama Muthy confirmed the leak to SCMP. 

There has been no official announcement of the matter on either Malindo Air’s or Lion Air’s Twitter accounts.

Chandran said Malindo Air had informed the Malaysian Communications and Multimedia Commission (MCMC) about the data breach, which was discovered last week.

“We and a third party vendor are checking as we speak, and will come up with a statement soon. We will advise passengers accordingly as per the investigation outcome,” he was quoted as saying.

Yesterday, tech website Bleeping Computer also reported the data breach affecting Lion Air, noting that the records of its passengers “have been circulating on data exchange forums for at least a month”.

The personal data is stored in an Amazon bucket that is open on the web and are kept in two databases of 21 million records and 14 million records each, according to Bleeping Computer.

The tech site said the databases are in a directory holding back-up files, which appear to have been created in May this year.

Another Lion Air subsidiary, Batik Air, also appears to have been affected.

SCMP, meanwhile, reported that four files of passenger information belonging to Malindo Air and Thai Lion air, were dumped online by “Spectre”, an operator of a dark web site on download links for leaked data.

“The data was dumped in groups on instant messaging service Telegram, as well as on cloud storage and file-hosting services, such as mega.nz and openload.cc, which still contain an active link to these databases,” SCMP’s report said.

Malindo CEO Chandran also told SCMP the airline would hire an independent cybersecurity firm to conduct forensic analysis of the leak. – September 18, 2019.