Malaysia Airlines has notified its frequent flyer members of a security incident via a third-party IT service provider. According to an email sent to Enrich members on Monday 1 March, the airline advised that the incident took place over a nine-year period between March 2010 and June 2019. They did not, however, disclose the number of individuals impacted. The breached data includes Enrich member names, date of birth, gender and contact details, in addition to frequent flyer number, status and tier level information.
Just a few days after this incident, Singapore Airlines reportedly announced that over 580,000 KrisFlyer and PPS members had been affected by a data breach. The breach involved the passenger service system servers of SITA, an air transport information technology company.
The Guru reached out to several cybersecurity experts to get their thoughts on the news.
Florian Thurmann, Technical Director, EMEA, Synopsys Software Integrity Group:
“Many organizations don’t see the full picture of what their third-party vendors do with their critical data and systems. For example, if a vendor uses a shared account to access your corporate network, your organization won’t be able to determine which of their employees has made a given change in the system. This lack of visibility, control, and security insight leaves a critical blind spot. Every organization has the responsibility to ensure their software supply chain vendors meet your cybersecurity policy requirements.
As we’re seeing in the case of Malaysia and Singapore Airlines, even when a data breach takes place within a vendor’s systems, it’s the responsibility of the airline to ensure the privacy of their customers’ data. This isn’t only the case for airlines, but for organizations across all industries. For this reason, it’s critically important to ensure your vendors take security as seriously as your organization, if not more.”
Boris Cipot, senior security engineer, Synopsys Software Integrity Group:
“The most concerning aspect of this data breach is the broad scope of the attack. In this case, the breach did not happen as a direct attack on Malaysia Airlines, but as a breach to their IT provider. A lesson which organizations can take away from this scenario is to create security rules and procedures, not only for internal stakeholders but also for their partners in the supply chain. This means taking the software and service provider processes into consideration when discussing a partnership and defining what security measures will be implemented.
It will be interesting to see how the breach occurred and why it remained undetected until now. As for the users of the Enrich platform, it is advisable that they change their password, ensuring it has not been reused for any other services/platforms. Also, watch out for phishing attacks or scams that might arise as a result of the breach.”
Martin Jartelius, CSO, Outpost24:
“When legislation states that if you are aware of a personal data breach, you need to inform subjects in a timely manner even if you do not have all the details, this is still a tad on the vague side for a data breach disclosure. It’s good that individuals are aware, but its near impossible to gauge the impact with such vague information so we can only hope the company are able to in the near future provide a more accurate investigation.”
Trevor Morgan, product manager, comforte AG:
“The reported data security incident involving Malaysia Airlines underscores just how much personal data outside of payment information that the travel, hospitality, and entertainment industries collect from their customers. Loyalty programs are hugely popular, and club members gladly provide quite a bit of personal data about who they are and what their personal preferences happen to be in order to collect valuable loyalty points. This incident calls into question just how secure all that personal and potentially sensitive data really is.
A business in any industry which offers up a loyalty program needs to take data privacy and security very seriously. The first thought is to ensure that any housed data is walled off and secure. But what happens if a breach occurs (even one involving a third-party partner) and that data falls into the wrong hands? Only data-centric security methods can protect against that type of situation. Data-centric security protects the data itself instead of the “walls” around it using technologies such as tokenization or format-preserving encryption. If companies like Malaysia Airlines adopt a data-centric strategy, then they won’t have to worry about their customers’ private information no matter where it travels. Unfortunately, this doesn’t seem to be the case in this incident. That doesn’t mean other businesses can’t learn from the situation.”
Paul Bischoff, privacy advocate, Comparitech.com:
“Airline loyalty programs and frequent flyer miles are a common target for cybercriminals, who can redeem them to get gift cards or make purchases at local retailers. Some points are also resold on the grey web to mileage brokers. I wrote an article examining airline miles being sold on the dark web in 2018: https://www.comparitech.com/blog/information-security/how-much-are-stolen-frequent-flyer-miles-worth-on-the-dark-web/. Prices averaged $0.015 per mile, much lower than the real-world market price.”
Brian Higgins, security specialist, Comparitech.com:
“Thankfully the perpetrators of this breach don’t seem to have accessed any personal data other than names and membership numbers. Whilst this will still be a concern for those customers involved, SITA appear to have a robust incident response plan in place for their protection. The vital take-away for operators here is that your supply-chain needs just as much protection as your core business. Data-sharing is a fundamental part of modern business practice but any enterprise should require and validate data security protocols for all of their suppliers, subsidiaries and any other associated companies. A breach in the chain can happen anywhere but if it’s your chain it’s your reputation.”
Chris Hauk, consumer privacy champion, Pixel Privacy:
“While it appears that the only information accessed in the breach are names and membership numbers, KrisFlyer and Singapore Airlines customers will still want to keep an eye on such things as the statistics on their loyalty program information and frequent flyer miles. It’s possible that the hackers could match up customer names with email addresses and cell phone numbers that they already possess, and may use the information to send out phishing emails and texts, which means affected users will want to keep an eye out for such attempts.”
Sam Curry, chief security officer, Cybereason:
“There is no business or consumer immune from heartless cyber gangs that would steal from soup kitchens and orphanages if they could profit. Unfortunately, the Malaysia Airlines breach is a reminder how many more strides need to be made before we can put all defenders on higher ground from the cyber attackers. It isn’t acceptable to hear that the airline thinks the breach could have happened sometime between 2010-2019. Total transparency is needed and they need to hone in on more specific details and be completely transparent with Enrich members. I guarantee members were shocked, as I was, to hear that their personal information has been in the wild for more than nine years. It is beyond unacceptable. In the short term, Enrich members need to stay on top of their credit reports, check their bank statements regularly and frequently update their passwords. For Malaysia Airlines, they can come out of this either the hero or the villain. They can’t be the victim. I suggest the hero by being honest, open and transparent about the immediate remediation steps they are taking and the preventative measures they are putting in place to protect Enrich members in the future.”
Chris Clements, VP of Solutions Architecture, Cerberus Sentinel:
“One of the worst aspects of “supply chain” attack compromises is that it can be even harder to detect than a direct breach of an organization. Now more than ever businesses need to fully vet and actively manage vendors who may be able to access sensitive systems or data. A strong vendor management program can go a long way to preventing exposure by requiring third parties that interact with a business’s data or systems follow information security best practices and can demonstrate due diligence by adhering to well-known security standards such as NIST or ISO and also perform regular security testing to ensure that no mistakes that could lead to exposures have fallen through the cracks.”