On the 27th of September, Malindo sent out a similar email to all its customers with no further explanation as to the cause or the severity of the breach. The email only cautioned customers to be wary of any suspicious and unsolicited calls or emails – and reminded them that their passwords have been auto-reset. What Malindo Air should have done is inform affected customers on the severity of the breach and what kind of remedial action is available to them. They did not. While it is already known that Customer’s personal contact details as well as Passport information was leaked together with their flight booking details – it was assumed that these were limited to only historic flight bookings. Unfortunately, we can now independently confirm that advance flight booking information was also included in the leaked files. While there is very little risk associated with the historical travel information, advance flight bookings details could be easily misused and manipulated by anyone who has access to the leaked files. This information puts travelers at risk as their future travel details and dates have been leaked out. We’re not even going to get started on the number of Datuk, Datin’s and Tan Sri’s who are on the leaked list who would not be too happy to have their travel privacy exposed. Malindo Air should be notifying all those affected – as the possibility of this information being abused is a lot higher compared to a trivial password auto-reset.
The Real Cause of the Data Breach
Malindo Air has at this point in time not released any further information as to the contents of the above files, as well as whether login credentials stored in these files were encrypted or not. It is fairly obvious that the backup files containing the Flight and Passenger information was not encrypted. Based on the booking dates present in the backup files, we can also independently confirm that the backup was done sometime between late August and early September 2019. Malindo Air has only confirmed that no payment information were stored in any of the leaked files. We are hoping that Malindo Air will be taking the necessary steps to inform all affected customers, especially those with upcoming flights to be extra vigilant as their upcoming flight information and travel plans have been leaked in the data breach.
