Malaysia Airlines has confirmed it has suffered a "data security incident" via a third-party IT service provider. The company also said the breach had not affected its carrier's core IT infrastructure and systems. 

The airline said the incident had occurred at some point during a nine-year period between March 2010 and June 2019, according to Channel Asia. A statement by the company, sent to its Enrich frequent flyer members, said the incident did not affect itineraries, reservations, ticketing, ID card or payment card information. The breached data, however, does contain Enrich member names, date of birth, gender and contact details, in addition to frequent flyer number, status and tier level information. 

“Malaysia Airlines has no evidence that any personal data has been misused and the incident did not disclose any account passwords,” the statement read. “We are nevertheless encouraging Enrich members to change their account passwords as a precautionary measure. The incident did not affect Malaysia Airlines’ own IT infrastructure and systems in any way.”

Andrew Barratt, Managing Principal, Solutions and Investigations at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services, explains, “Airlines are a rich source of information, with a big supply of Passenger Name Records (PNRs) that are used to share information between booking systems, global distribution systems (GDS) and hotels. Malaysian airlines seem to have a really broad timeframe for the data breach indicating that they probably didn’t have adequate monitoring and alerting systems in place, which may pose some concerns for them if there is GDPR relevant data exposed. Unfortunately the timeframe is the same period that they tragically lost flight 370 so there may be some discretion applied if regulators review the case. Airlines in general are a high profile target, with loyalty data that can be easily monetized and huge volumes of data including often a large volume of payment data as was seen in the British Airways breach."

Barratt adds, "This also seems like the inflection point of two themes at the moment – a continued assault on third parties service providers that are then leveraged to gain access to other parties and high profile businesses that perhaps don’t have the appropriate third party review programs in place.”

Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, says, “It seems likely that the system used to manage the Enrich program is managed by the affected third party. This incident highlights the need for strict rules around time to disclose. In a similar scenario, had more detailed personal information or financial information been stolen the impact could be very widespread if it took place nine years ago. Time to disclose is critical for the incident response process, especially when it involves third party or vendors. The question here is whether it happened within the nine year period and they did not disclose until now or if it happened within the nine years and they just found out now. Based on the oddly specific nine year window it seems likely this issue persisted for all the nine years, or happened nine years ago, and they are just discovering it. If that’s the case there is a whole different set of issues and that need to be addressed from a cyber hygiene perspective.”

Purandar Das, CEO and Co-Founder of Sotero, an encryption-based security company, says, “Organizations continue to be impacted by under protected third-party service providers. While such services are a key part of an organization’s customer services, they pose an increasing risk to the company. This is an area that is being increasingly targeted by hackers. The reason is fairly simple. Service providers are less organized in terms of security. Their infrastructure is less secure and more easily penetrated. Hackers target them knowing that their access to potentially valuable data is easier. On the surface this data seems less likely to cause damage to the consumer. However, this stolen data forms a part of the consumers profile that is created by data stolen from many locations. In totality, this enables the hackers to assemble a strong profile of the consumers and their behavior and could be used to target them for nefarious purposes. The fact that this breach happened over a long period of time without detection indicates the lack of security at the service provider. It is also unlikely that this data was not used for wrong reasons if the breach lasted as long it did. If the data was useless, the hackers would have moved on. It is time for organizations to take control of their data and its protection even when it is in the hands of service providers.”