Now departing: your airline customer data.
Malaysia Airlines faces the daunting task of investigating over nine years’ worth of compromised data after learning of a “data security incident” at a third-party IT service provider that exposed Enrich frequent flyer program member data from March 2010 through June 2019.
Airline loyalty program data is a popular target among cybercriminals. And a breach that lingers undetected for nearly a decade would have granted any potential attackers plenty of time to leverage such information to commit a host of scams and phishing schemes and to steal and sell victims’ flyer miles. However, Malaysia Airlines claims that so far there is no evidence of data misuse.
“Airlines are a rich source of information, with a big supply of passenger name records that are used to share information between booking systems, global distribution systems and hotels,” said Andrew Barratt, managing principal of solutions and investigations at Coalfire. "Airlines in general are a high-profile target, with loyalty data that can be easily monetized." Payment information can also be compromised, as was seen in the British Airways breach.
In this particular instance, the compromised data includes name, contact information, date of birth, gender, frequent flyer number, membership status, and rewards tier level. Malaysia Airlines' own internal IT infrastructure was not impacted. Travel details, payment info and passwords were not compromised, although customers are still advised to change their login credentials.
“On the surface, this data seems less likely to cause damage to the consumer. However, this stolen data forms a part of the consumers profile that is created by data stolen from many locations,” said Purandar Das, CEO and co-founder of Sotero. “In totality, this enables the hackers to assemble a strong profile of the consumers and their behavior and could be used to target them for nefarious purposes.”
So far, details around the breach are scant, and SC Media so far did not receive a response to a request for comment from Malaysia Airlines. But the fact that data corresponds to nine years of customers is certainly troubling, experts say.
“The fact that this breach happened over a long period of time without detection indicates the lack of security at the service provider,” Das said. “It is also unlikely that this data was not used for wrong reasons if the breach lasted as long it did. If the data was useless, the hackers would have moved on.”
According to at least one report, the airliner yesterday began emailing its customers breach notifications. Of course, after nine years, it’s possible some ex-members have changed their emails and other contact information. The company will not attempt to contact victims by phone, so any calls customers receive related to this incident should be considered a scam.
“This incident highlights the need for strict rules around time to disclose,” particularly for third-party vendors, said Brandon Hoffman, chief information security officer at Netenrich. “In a similar scenario, had more detailed personal information or financial information been stolen, the impact could be very widespread if it took place nine years ago.”
Indeed, this latest incident is another example of why it’s important for businesses to assess and manage third-party vendor risk.
“Organizations continue to be impacted by under-protected third-party service providers,” said Das. “While such services are a key part of an organization’s customer services, they pose an increasing risk to the company. This is an area that is being targeted by hackers. Service providers are less organized in terms of security. Their infrastructure is less secure and more easily penetrated.”
“One of the challenges with using third-party systems is the potential difficulty of holding them to the same level of cybersecurity used in your own organization,” added Saryu Nayyar, CEO at Gurucul. “You could have a complete security stack, security analytics and a trained security operations team, but that may not help when a trusted third party isn't operating at the same standard.”