BUDGET carrier Malindo Air has contained a massive data breach affecting millions of passengers’ personal data, and has identified the source of the leak, the airline said.

Two employees of its e-commerce services provider, GoQuo (M) Sdn Bhd at the firm’s development centre in India had “improperly accessed” and stole the data, the subsidiary of Indonesia’s Lion Air said today.

“The matter has been reported to the police both in Malaysia and India,” it said in a statement.

Malindo Air reiterated that the breach is not related to the security of its data architecture or that of its cloud provider Amazon Web Services.

“All its systems are fully secured and none of the payment details of customers were compromised due to the malicious act,” it added.

The airline said it had been working closely with  relevant agencies, including Malaysian Personal Data Protection Commissioners and the National Cyber Security Agency (NACSA) as well as their counterparts overseas.

“As a forward proactive measure, data forensics and cyber security experts have been brought in to review all the airline’s existing data infrastructure and processes.”

Malindo Air said it has reset all customer passwords, and cautioned customers to be wary of suspicious and unsolicited calls and emails. 

“Customers can reach out to us for further assistance,” it said.

The data breach was reported about five days ago, and is believed to have taken place a few months earlier. The data was believed to have circulated on data exchange forums online for at least a month, according to tech website Bleeping Computer.

The breach involves the passport details, home addresses and phone numbers of millions of Lion Air and Malindo Air passengers.

Another Lion Air subsidiary, Batik Air, also appears to have been affected. – September 23, 2019.