Malaysia Airlines has informed Enrich frequent flyer members of a “data security incident” via a third-party IT service provider, insisting the breach avoided the national carrier’s core IT infrastructure and systems.
Delivered via an email note to members on Monday 1 March, the airline advised that the incident occured at some point during a nine-year period between March 2010 and June 2019, without disclosing the number of individuals impacted.
Breached personal data includes Enrich member names, date of birth, gender and contact details, in addition to frequent flyer number, status and tier level information.
According to the statement - which has yet to be shared publicly but was first revealed by Malay Mail - the incident did not affect itineraries, reservations, ticketing, ID card or payment card information.
“Malaysia Airlines has no evidence that any personal data has been misused and the incident did not disclose any account passwords,” the statement read. “We are nevertheless encouraging Enrich members to change their account passwords as a precautionary measure. The incident did not affect Malaysia Airlines’ own IT infrastructure and systems in any way.”
The announcement comes less than a month after revelations that software used by Singtel was “illegally attacked by unidentified hackers”, accessing file sharing system FTA via third-party vendor Accellion. According to the telecommunications giant, the breach impacted a “standalone system” which is used to share information internally as well as with external stakeholders.
“This is an isolated incident involving a standalone third-party system,” a statement from Singtel read at the time. “Our core operations remain unaffected and sound.”
Accellion advised that the incident formed part of a wider concerted breach against users of the vendor’s file sharing system following a “sophisticated cyber attack” on 23 December. With all FTA customers “promptly notified” at the time, Accellion also moved to patch all known FTA vulnerabilities exploited by the attackers, alongside adding new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.