Members of the Enrich frequent flyer program of Malaysia Airlines had their data compromised following a data security incident at one of the third-party IT service providers.
Malaysia Airlines (MAB) said in an email that the personal data of Enrich members may be affected, which includes names, dates of birth, contact numbers, gender, flyer number, status, and flyer tier level. Although there’s no evidence showing that these pieces of information were misused, information is still compromised.
It’s said that the data breach incident affected all members from March 2010 to June 2019. However, no information about ticketing, reservations, payment card information, and itineraries was affected.
MAB’s IT infrastructure remains working, however, all members are advised to change their passwords for security purposes. The airline has sent out an email to its Enrich members notifying them about the incident, and how customers can contact the airlines for queries and other concerns.
A decade-worth of data is a lot, and threat actors can use the information for phishing attacks. A host of scams could potentially threaten the customers’ information, becoming vulnerable to fraudulent activities.
However, MAB continuously claims that there’s no evidence showing that the data compromised were used for any misconduct. Meanwhile, security experts said hackers can easily use the information and monetize accordingly.
“Airlines are a rich source of information, with a big supply of passenger name records that are used to share information between booking systems, global distribution systems and hotels,” said Coalfire Managing Director Andrew Barratt.
In line with this, hackers consider airlines as a hot or high-profile target to fish out information they can use for a number of fraudulent acts. Be it through email phishing, logging in to online banking, and social media.
So far, MAB hasn’t made any public announcement about the security incident, or even post a notice on the website. However, it has confirmed the incident on its official Twitter account, replying to its customers.
Security experts are citing the airline’s lack of security detection technology in place, as the breach happened over a long period of time. Because the customer data is at risk, airlines should be more careful when collecting and handling information.
“This incident highlights the need for strict rules around time to disclose. Had more detailed personal information or financial information been stolen, the impact could be very widespread if it took place nine years ago,” said Netenrich chief officer Brandon Hoffman.
MAB recently announced a new fare-based earning program in line with Enrich. This will commence in April 2021.