Third-Party Data Breach
One of Malaysia Airlines’ third-party IT service providers notified Malaysia Airlines about a security incident that affected some personal information of Malaysia Airlines’ Enrich frequent flyer members. The data was left exposed for almost a decade, from March 2010 up to June 2019. The airline did not disclose how many customers are affected by the incident. Yet, the duration of the breach – more than 9 years – is quite significant. Malaysia Airlines did confirm that their own IT infrastructure and systems are not affected in any way. As soon as they were notified, Malaysia Airlines immediately started emailing Enrich members about the data breach. Other than that, there is no further information about the incident on Malaysia Airlines’ official website or social media channels, except in a reply to a completely different post on Twitter.
Personal Information Involved
According to the email Malaysia Airlines sent to Enrich members on Monday (March 1), the personal data involved in the incident included “Enrich member names, date of birth, gender, contact details, frequent flyer number, frequent flyer status and frequent flyer tier level”. It did not include any information about people’s itineraries, reservations, tickets, or any ID card or payment card information. Malaysia Airlines emphasized that there is no evidence of misuse and that the incident did not disclose any account passwords. Nonetheless, the airline urges members to change their passwords. The airline is monitoring member accounts for any suspicious activities. They are also in contact with the affected IT service provider to investigate the incident’s cause and scope.
What to Do Next?
Enrich members should follow Malaysia Airlines’ advice and immediately change their password. It is best practice to create a strong and unique password, to change your password regularly, and to record all your passwords securely. You can use a password manager for this. Malaysian Airlines told members that they will NOT be calling them regarding this breach or to update their personal details. Therefore, members should be mindful of any type of scam, including phishing emails or phone calls.
Data Security in the Travel Industry
The travel industry has had its unfair share of data security incidents. In the last 18 months alone, multiple travel industry giants confirmed security incidents. For example, the airlines EasyJet and British Airways, cruise companies Norwegian Cruise Line and Princess Cruises, as well as the hotel chains Marriot and MGM Resort Hotels. A brand of the British Consumer’s Association, Which?, found hundreds of data security vulnerabilities in travel companies’ online systems. With regards to their testing, Which? explained that they “didn’t engage in complex hacking to find this information”. On the contrary, they only used publicly available, lawful online tools that anyone can access. Lately, there have been a number of security incidents involving third-party service providers. The infamous Solorigate incident, for example, that’s affecting companies all over the world. Or the Accellion breach, that impacted Singapore’s largest mobile network operator, Singtel, as well as the Reserve Bank of New Zealand and the Australian Securities and Investment Commission (ASIC), among others.