Malaysia Airlines Berhad, currently branded as Malaysia Airlines, has revealed that it has been hit by a major data breach.

Investigations have uncovered that the identified data leak spans a nine-year period and involves exposed personally identifiable information (PII). The data subjects impacted by the recently revealed Malaysia Airlines breach are all select members of the air carrier’s frequent flyer reward programme entitled “Enrich”.

Public disclosure of a data leak

Following the unfortunate discovery of the data leak, personnel from Malaysia’s flagbearer airline started contacting those who had enrolled in its Enrich frequent flyer programme and who had been affected by the infiltration and exposure.

According to details supplied by Malaysia Airlines, the dedicated data breach was accomplished using the carrier’s third-party providers of IT services, who summarily notified it that data on the reward programme’s members had been exposed during a timeframe stretching from March 2010 to June 2019.

The airline, which is also a member of the Oneworld airline alliance, commented on the third-party leak:

“Malaysia Airlines was notified of a data security incident at one of its third-party IT service providers which involved some personal data of members of Enrich, Malaysia Airlines’ frequent flyer programme between the period of March 2010 and June 2019. The incident did not affect Malaysia Airlines’ own IT infrastructure and systems in any way.”

Member data exposed in the breach

The members’ PII exposed in the recent data leak includes contact details like email and street addresses, phone number, member names, genders and dates of birth. It also includes subscription information including frequent flyer numbers and their tier levels for rewards. However, the disclosed data involved in the breach did not include the Enrich programme members’ travel itineraries, ticketing, reservations, or any payment or personal identity card details.

The airline, headquartered in Kuala Lumpur International Airport, also stated that not a single password was disclosed during the leak and that its investigations had uncovered no evidence of any misuse. Despite this fact, Malaysia Airlines recommends that all data subjects whose information was involved in the leak should alter their personal passwords as a precaution.

Anyone in possession of a membership to the Enrich programme would be wise to log into their rewards account and follow this advice. If they employ the same password on multiple sites, this should be changed for every application where it is used.

Malaysia Airlines has also warned all impacted data subjects that it will not be contacting any Enrich members via the phone regarding updating their online accounts. Any members receiving a phone call claiming to be from the airline regarding the breach, or requesting personal details, are advised to disconnect as soon as possible. Data collected from breaches is commonly used to form part of malicious attacks so members should treat calls, texts and emails purporting to be from Malaysia Airlines with suspicion.

At this time, the precise number of frequent flyer programme members impacted by the data breach is unknown.