Ex-staffers at contractor firm caused data breach, says Malindo Air

Malindo Air says the data breach has been contained. (Bernama pic)

KUALA LUMPUR: Malindo Air, the Malaysian subsidiary of Indonesia’s Lion Group, said today that two former employees of its e-commerce contractor were responsible for its passenger data breach.

Malindo Air confirmed the breach last week after Moscow-based cybersecurity firm Kaspersky alerted users in Malaysia and Thailand.

Kaspersky told Reuters in an email that it had sent out an alert on Sept 13, two days after the data breach was made public.

Kaspersky said in its alert that the personal details of almost 46 million passengers of Malindo and Thai Lion Air, another Lion Group subsidiary, were posted online. Kaspersky said parts of the leaked databases were offered for sale.

Malindo Air said in a statement that two former employees of e-commerce services provider GoQuo (M) Sdn Bhd in their development centre in India “improperly accessed and stole the personal data of our customers”.

Reuters could not immediately reach GoQuo for comment. Malindo did not name the two former GoQuo employees.

The airline said the data breach had been contained and the matter reported to the police in Malaysia and India.

Malindo Air also said the breach was not related to the security of cloud service provider Amazon Web Services’ data architecture, and none of the payment details of customers was compromised.