Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireCybersecurity News

Malaysian Airlines is breached

airplane
March 3, 2021

Malaysia Airlines has confirmed it has suffered a "data security incident" via a third-party IT service provider. The company also said the breach had not affected its carrier's core IT infrastructure and systems. 

The airline said the incident had occurred at some point during a nine-year period between March 2010 and June 2019, according to Channel Asia. A statement by the company, sent to its Enrich frequent flyer members, said the incident did not affect itineraries, reservations, ticketing, ID card or payment card information. The breached data, however, does contain Enrich member names, date of birth, gender and contact details, in addition to frequent flyer number, status and tier level information. 

“Malaysia Airlines has no evidence that any personal data has been misused and the incident did not disclose any account passwords,” the statement read. “We are nevertheless encouraging Enrich members to change their account passwords as a precautionary measure. The incident did not affect Malaysia Airlines’ own IT infrastructure and systems in any way.”

Andrew Barratt, Managing Principal, Solutions and Investigations at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services, explains, “Airlines are a rich source of information, with a big supply of Passenger Name Records (PNRs) that are used to share information between booking systems, global distribution systems (GDS) and hotels. Malaysian airlines seem to have a really broad timeframe for the data breach indicating that they probably didn’t have adequate monitoring and alerting systems in place, which may pose some concerns for them if there is GDPR relevant data exposed. Unfortunately the timeframe is the same period that they tragically lost flight 370 so there may be some discretion applied if regulators review the case. Airlines in general are a high profile target, with loyalty data that can be easily monetized and huge volumes of data including often a large volume of payment data as was seen in the British Airways breach."

Barratt adds, "This also seems like the inflection point of two themes at the moment – a continued assault on third parties service providers that are then leveraged to gain access to other parties and high profile businesses that perhaps don’t have the appropriate third party review programs in place.”

Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, says, “It seems likely that the system used to manage the Enrich program is managed by the affected third party. This incident highlights the need for strict rules around time to disclose. In a similar scenario, had more detailed personal information or financial information been stolen the impact could be very widespread if it took place nine years ago. Time to disclose is critical for the incident response process, especially when it involves third party or vendors. The question here is whether it happened within the nine year period and they did not disclose until now or if it happened within the nine years and they just found out now. Based on the oddly specific nine year window it seems likely this issue persisted for all the nine years, or happened nine years ago, and they are just discovering it. If that’s the case there is a whole different set of issues and that need to be addressed from a cyber hygiene perspective.”

Purandar Das, CEO and Co-Founder of Sotero, an encryption-based security company, says, “Organizations continue to be impacted by under protected third-party service providers. While such services are a key part of an organization’s customer services, they pose an increasing risk to the company. This is an area that is being increasingly targeted by hackers. The reason is fairly simple. Service providers are less organized in terms of security. Their infrastructure is less secure and more easily penetrated. Hackers target them knowing that their access to potentially valuable data is easier. On the surface this data seems less likely to cause damage to the consumer. However, this stolen data forms a part of the consumers profile that is created by data stolen from many locations. In totality, this enables the hackers to assemble a strong profile of the consumers and their behavior and could be used to target them for nefarious purposes. The fact that this breach happened over a long period of time without detection indicates the lack of security at the service provider. It is also unlikely that this data was not used for wrong reasons if the breach lasted as long it did. If the data was useless, the hackers would have moved on. It is time for organizations to take control of their data and its protection even when it is in the hands of service providers.”

 

KEYWORDS: cyber security data breach information security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Doorway to Cybersecurity

    Computer Scientists Develop Tool to Tell if Website is Breached

    See More
  • cyber5-900px.jpg

    Personal Information of 20 Million People in Ecuador is Breached

    See More
  • Airplane

    Lion Mentari Airlines Suffers Data Breach

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing