Passport data of 30 million Malindo and Lion Air customers leaked: here’s what we know

Malindo Air said it was investigating the breach and had notified Malaysian and international authorities.
Malindo Air
  • A cybercrime Twitter channel detected on Sept 11 that the passport details of 30 million Lion Air passengers was available on the Dark Web.

  • On Wednesday (Sept 18), Lion Group subsidiaries Malindo Airlines and Thai Lion Air admitted that customers’ data had been compromised.

  • The leaked data was stored in a public cloud storage system created by Amazon Web Services, Malindo Air said.

  • Both airlines said they did not store payment details on their servers.

Two airlines have confirmed a leak of sensitive passenger data seven days after a cybercrime Twitter channel, named Under The Breach, detected it being shared and sold online.

The channel found that two directories of backup files for Malindo Air, Thai Lion Air and Batik Air containing over 30 million records of passport details, addresses and phone numbers had been posted by a hacker on the Dark Web.

All three are subsidiaries of Indonesia’s Lion Group.

The information which was created in May, began circulating on multiple online forums as early as August 10, according to a report by Bleeping Computer, a cybercrime site.

It added that file names included references to Lion Air’s loyalty reward program and online booking service GoQuo.

On Wednesday (Sept 18), Thai Lion Air issued a statement on Facebook that it was aware of a data breach.

Posted by Thai Lion Air on Wednesday, 18 September 2019

It clarified that it had not stored customers’ payment details on servers, and promised to “increase preventative measures” to protect customers’ data better in the future.

Malaysia’s Malindo Air also released a statement that had notified Malaysian and international authorities of the data breach.

The leaked data was stored in a public cloud storage system created by Amazon Web Services, an external data service provider, Malindo Air said.

It added that it was working with Amazon and GoQuo to investigate.

Petaling Jaya, 18th September 2019 – Malindo Airways Sdn Bhd has come to be aware that some personal data concerning our…

Posted by Malindo Air on Tuesday, 17 September 2019

The airline also assured customers that it did not store customers’ payment details on its servers, but advised those with frequent flyer accounts to change their passwords.

The Straits Times reported that the airline declined to say how many customers had been affected by the breach.

Batik Air did not release any statements about the data breach.

Read also:

Shopped online at Sephora? Customers in Singapore, Malaysia, had names, birthdays and passwords exposed in data breach

Malaysia’s largest data breach could involve a whopping 46.2 million telco subscribers – here’s what’s at risk

CIMB says it lost some magnetic tapes containing customer data