Lion Air Breach Hits Millions of Passengers

Written by

Tens of millions of passengers from at least two Asian airlines have had their personal data compromised after workers at the parent company left them exposed via an AWS server, it has emerged.

Although it’s unclear how long the data had been exposed for, security researchers have pointed to at least 35 million records circulating online and linked to an individual with the moniker “Spectre.”

They belong mainly to passengers of Lion Air companies Malindo Air and Thai Lion Air, and include names, dates of birth, phone numbers, emails, addresses, passport numbers and expiration dates, and more.

There are suggestions that a third Lion Air brand, Batik Air, may also be affected.

An official statement from Malindo Air reveals little except that, along with AWS and the airline’s e-commerce partner GoQuo, it is investigating.

“Malindo Air has put in adequate measures to ensure that the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS),” it claimed.

“We are in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia. Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident.”

The firm urged its passengers to change passwords on their Malindo Miles accounts and basically sit tight.

Reports suggest a misconfigured S3 bucket was again responsible for the security snafu, perhaps dating back to August.

Airlines are an increasingly popular target for hackers, with both Cathay Pacific and BA suffering major breaches over the past year.

The mistake or oversight that led to the Lion Air breach was most likely a very simple one, argued Stephan Chenette, co-founder and CTO of AttackIQ.

“Companies must do a better job at proactively securing sensitive data, starting with the basics and then building to more mature programs,” he added.

“To protect customer data, organizations should employ continuous security validation tools to identify and prioritize gaps in security that need to be addressed first, and continuously assessing the viability of their security controls to make sure they are enabled, configured correctly and operating effectively at all times.”

The Infosecurity Magazine Online Summit is happening next week! Join thousands of professionals from around the world and gain access to industry leading education sessions covering the latest infosec trends & technology for free. Do not miss this great opportunity to earn upto 12 CPEs in just two days. Register Now

What’s hot on Infosecurity Magazine?