Malaysia Airlines has suffered a massive data breach that compromised personal data records of its frequent flyer customers over a period of nine years.
Personal data records of Malaysia Airlines customers, who were members of its frequent flyer programme, were compromised via a security breach that lasted for as long as nine years.
This week, Malaysia Airlines started notifying its Enrich frequent flyer programme members via email that their personal information were compromised due to a security incident at one of its third-party IT service providers.
In the email sent to Enrich FFP members, the airline wrote: “Malaysia Airlines was notified of a data security incident at one of its third-party IT service providers which involved some personal data of members of Enrich, Malaysia Airlines’ Frequent Flyer Programme between the period of March 2010 and June 2019.
“The personal data involved in the incident included Enrich member names, date of birth, gender, contact details, frequent flyer number, frequent flyer status, and frequent flyer tier level. It did not include any information about itineraries, reservations, ticketing, or any ID card or payment card information.”
The airline has, however, confirmed that the breach did not expose any passwords, Enrich member’s itineraries, ticketing, reservations or any ID card or financial information. The airline said that as of now, there isn’t any evidence that the leaked information was used wrongfully. However, it has advised all its users to change their passwords as a precaution. The company has made it clear that it won’t call any customers to update their details over the phone. The airline has also refused to state the exact number of flyers who were affected due to the security incident.
Malaysia Airlines still hasn’t made any public statement but it has confirmed the breach on social media sites. In one such response, the airline company said, “The data security incident occurred at our third-party IT service provider and not Malaysia Airlines’ computer systems. However, the airline is monitoring any suspicious activity concerning its members’ accounts and in constant contact with the affected IT service provider to secure Enrich members’ data and investigate the incident’s scope and causes.”
Commenting on the breach suffered by one of Malaysia Airlines’ third-party suppliers, Trevor Morgan, product manager at comforte AG, said the incident underscores just how much personal data outside of payment information that the travel, hospitality, and entertainment industries collect from their customers.
“A business in any industry which offers up a loyalty programme needs to take data privacy and security very seriously. The first thought is to ensure that any housed data is walled off and secure. But what happens if a breach occurs (even one involving a third-party partner) and that data falls into the wrong hands? Only data-centric security methods can protect against that type of situation.
“Data-centric security protects the data itself instead of the “walls” around it using technologies such as tokenization or format-preserving encryption. If companies like Malaysia Airlines adopt a data-centric strategy, then they won’t have to worry about their customers’ private information no matter where it travels. Unfortunately, this doesn’t seem to be the case in this incident. That doesn’t mean other businesses can’t learn from the situation,” he added.
According to Florian Thurmann, Technical Director, EMEA at the Synopsys Software Integrity Group, many organisations don’t see the full picture of what their third-party vendors do with their critical data and systems. For example, if a vendor uses a shared account to access your corporate network, your organisation won’t be able to determine which of their employees has made a given change in the system.
“This lack of visibility, control, and security insight leaves a critical blind spot. Every organisation has the responsibility to ensure their software supply chain vendors meet your cybersecurity policy requirements. As we’re seeing in the case of Malaysia Airlines, even when a data breach takes place within a vendor’s systems, it’s the responsibility of the airline to ensure the privacy of their customers’ data,” he added.