46 Million Person Airline Breach Caused by Ex-Contractors
It appears this summer's 46-million-person breach at a Southeast Asian airline carrier wasn’t caused by a misconfigured bucket but by two ex-staffers at a contracting firm.
Data leaks at an Asian airline carrier this month appear to have come after ex-staffers at a contractor the company employs improperly accessed and stole personal data belonging to its customers.
Malindo Air, the Malaysian subsidiary of Indonesia’s Lion Group said Monday that two former employees of GoQuo (M) Sdn Bhd, an e-commerce service, were responsible for the incident.
GoQuo, which is based in Kuala Lumpur, assists airlines like Malindo and Bangkok Airways in booking air transportation services and hotel accommodations for customers.
Malindo’s statement suggests the employees, who were working out of a GoQuo development center in India, were relieved of their positions upon discovery of the incident. The statement doesn't clarify whether the airline is still using the e-commerce vendor.
As a result, police in Malaysia and India, in addition to the Malaysian Personal Data Protection Commissioners and the National Cyber Security Agency (NACSA) have been contacted to investigate further, according to the airline.
The airline insists that because it doesn’t store the payment details of its customers on its servers, that data wasn't compromised as part of the breach.
Malindo was only one of the airlines affected in the breach; passengers of Lion Air Group subsidiaries Thai Lion Air and Batik Air, based in Jakarta, were also affected.
The first sign something was awry came earlier this month, on September 11, after databases containing Lion Air passenger IDs, reservation IDs, customer addresses, phone numbers, and email addresses, in addition to names, dates of birth, phone numbers, passport numbers, and passport expiration dates, surfaced online.
Security researchers initially said the two databases included information on roughly 35 million passengers. According to Reuters, Russian cybersecurity company Kaspersky Lab alerted the airline of the breach on Sept. 13, and told it the databases included information on 46 million passengers.
It was initially thought the breach may have been stemmed from a poorly secured Amazon Web Services S3 bucket - the airline said it was looking into both GoQuo and AWS earlier this month following the first news surrounding breach - Malindo Air shot down the AWS connection on Monday, saying the breach was unrelated.
While the employees at GoQuo had access to the passenger data in the first place, something which would have made exfiltration that much easier, it’s unclear how they took the data.
An email request for comment from the company wasn’t immediately returned on Monday.
When reached Tuesday, a spokesman for GoQuo could only say that a breach of passenger data on one of its products was being investigated by the police and relevant cyber security agencies in Malaysia and India.
"We cannot comment further about the identities of the alleged perpetrators until the relevant authorities have concluded their investigations. In the meantime, GoQuo has lent its fullest support to all investigations and continues to provide uninterrupted service to all current and future clients," the company said, adding that none of its current employees are involved and that the integrity of their systems is intact.
Airlines have been hit hard by data breaches over the past several years. 9.4 million passengers of Cathay Pacific Airways fell victim to a breach that leaked names, nationalities, and travel document numbers last year. Delta Airlines, in 2017, and Air Canada, in 2018, also experienced breaches.
None of these may compare to what British Airways is facing. The airline is currently facing a record £183M ($230 million USD) fine stemming from the breach of 500,000 customers in 2018. The Information Commissioner's Office in the UK announced plans to fine the company for violating the General Data Protection Regulation in July.
This story was updated on Tuesday, September 24 to include a statement from GoQuo.