News
Lion Group responds weakly to data breach
September 20th 2019
35 million records leaked for passengers at Thai Lion and Malindo. Read More »
The extent of a data breach at the Lion Group is growing, but the total impact is unclear with the group disclosing limited information a week after the incident surfaced. This contrasts to the wider disclosures from British Airways and Cathay Pacific when they suffered data breaches, although they were still faulted for lack of transparency.
Two tranches of Lion Group data were initially brought to public attention by Twitter user Under the Breach, as Orient Aviation reported last week.
The data sets comprised one with 21 million records where passenger information was limited to less sensitive details such as telephone number and email address. The second set was smaller with 14 million records, but the data was more sensitive and comprised passenger date of birth and passport details. It is unclear if all of the records are unique passengers or multiple records belong to the same passenger.
While Under the Breach initially said the data only belonged to Thai Lion Air, Malaysian subsidiary Malindo Air is also involved, according to an investigation by BleepingComputer. Their investigation raised the possibility Lion’s premium Indonesian carrier Batik Air may also be involved, but Lion Group on September 19 said passenger data in Indonesia is safe, implying the Group’s Indonesian units – Lion, Batik and regional carrier Wings Air – are not affected.
The Group’s first statement was from Malindo Air on September 18, which said “personal data…may have been compromised”. Malindo did not state what data was involved and how many passengers were impacted. The Group has still not stated such information.
Malindo advised passengers to change their frequent flyer account passwords as a precautionary measure, although there are no reports such data may have been breached. Malindo also warned passengers “to be wary of any suspicious or unsolicited calls and/or emails seeking verification of personal data”.
Lion Group said it is working with authorities in Indonesia, Malaysia and Thailand, where it has airlines. The Group also said it does not retain payment information on its servers, and that there was no payment information in the leaked data, although the Group did not say what was in the leaked data.
Malindo said it was investigating with two external partners: Amazon Web Services and e-commerce partner GoQuo. On September 19, Malindo said the Amazon Web Services servers it uses in Singapore are “are fully secured with no further vulnerabilities”.
The data sets were held in a backup file directory created in May 2019, according to BleepingComputer. It is unknown when the data was first accessed by unauthorised users, but links to the data first appeared on August 10. One backup file was named “PaymentGateway” while others made reference to Batik Air as well as Malindo’s loyalty programme and GoQuo, according to BleepingComputer, which could see the file names but not access the content. The most recent backup seemed to be from May 25.
The circumstances led BleepingComputer to surmise the data breach “has a high probability of being used by threat actors for financial gain”.