With all due respect to the affected passengers, the data leak affecting tens of millions of Lion Air Group customers could not have occurred at a better time: right when the government is planning to relax rules on data centers in a move that has sparked a fair amount of debate on data protection.

Passengers of the group’s subsidiaries Batik Air, Malaysia-based Malindo Air and Thailand-based Thai Lion Air had their personal details stolen and posted online last month, according to a cybersecurity research collective.

The data breach laid bare at least 35 million customers’ passport details, home addresses and phone numbers in the digital wilderness, effectively rendering them vulnerable to various kinds of cybercrime, including identity theft. Malindo Air confirmed the data breach in a statement on Wednesday.

The breach was discovered earlier this month by online cybersecurity intelligence collective Under the Breach, which goes by the Twitter handle @underthebreach. The collective posted censored screenshots of Thai Lion Air’s internal data in a brief Twitter thread, showing the sheer scale of the data theft.

“Hacker dumps @lionairthai’s customer and flight database. First database has 21 million records, which include passenger ID, reservation ID, customer address, phone number and email,” @underthebreach tweeted on Sept. 12. “Second database has 14 million records, which include the name, date of birth, phone number, passport number and passport expiration date.”

In an email interview with The Jakarta Post, the collective said a member of online database leak forum raidforums.com posted on Aug. 12 a host of private information, including those associated with Batik Air, Malindo Air and Thai Lion Air in a thread titled “Bangkok airline”.

They said that, although the link to the files had been removed from the forum, backups of the airlines’ internal files were still available for download on file-sharing website pastebin.com. The files contained multiple references to Batik Air, Malindo Air and Thai Lion Air dating back to 2015. Several files were named “PaymentGateway”, in reference to airline customers’ payment information.

On Sept. 10, a thread was created on Raid Forums that exposed Thai Lion Air’s database — the same one that Under the Breach tweeted, the collective said. The same individual also posted the database of Malindo Air, but the collective said it was no longer available.

“We assume the person who opened the thread must have got the files from AWS [Amazon Web Services] and spread them throughout the network using the information in the files,” Under the Breach told the Post on Wednesday, in reference to American e-commerce giant Amazon’s cloud storage service, which the airlines reportedly used to store private data.

AWS spokesperson for Asia Julie Cleeland Nicholls did not respond to the Post’s request for comment.

In its statement, Malindo said its in-house teams and external data service providers AWS and Malaysia-based GoQuo were currently investigating the incident.

“We are in the midst of notifying various authorities both locally and abroad, including CyberSecurity Malaysia. Malindo Air is also engaging with independent cybercrime consultants to investigate and report this incident,” spokesperson Andrea Liong said, advising its customers with Malindo Miles accounts to change their passwords as a precautionary measure.

Lion Air spokesman Danang Mandala Prihantoro only relayed Malindo’s statement upon an interview request from the Post and was unavailable for further comment.

Communication and Information System Security Research Center chairman Pratama Persadha called on Lion Air to immediately examine which parts of its database had yet to be reinforced with additional security, such as encryption. He also urged the airline to regularly conduct penetration tests to detect any security holes in its system to prevent similar breaches in the future.

There were several possible explanations for the breach of Lion Air’s database, he said. The hacker could have exploited vulnerabilities in the airline’s system, embedded spyware into the database or fooled a system administrator into clicking on a fake link designed specifically for siphoning off data — a practice known as phishing, he explained.

“Or it might have been just another case of an admin forgetting to log out of the system, therefore falling victim to keystroke logging,” Pratama said, in reference to the covert action of recording the keys struck on a keyboard.

The data breach once again puts a spotlight on data protection, which remains a dire concern among businesses in Indonesia.

The government is set to issue a revision to Government Regulation (PP) No. 82/2012, which will require public institutions to store data onshore while private companies can have their data stored overseas, as long as they register with the Communications and Information Ministry, subjecting them to stipulations on pro-consumer data protection and negative content moderation.

Indonesian Ombudsman commissioner Alvin Lie said that, in the digitization era, it did not matter where the data was stored; the most important thing was to ensure consumer data protection, accessibility for authorities and the correct utilization of users’ data.

“An up-to-date security system should be ensured by the government [in the PP revision],” he said. “Therefore, private companies that keep personal data, civil administration data, for instance, can comply [with a legally binding regulation] to ensure data protection even if [it] is stored overseas.”

Indonesian ICT Business Association (APTIKNAS) chairman Soegiharto Santoso said the regulation should require online platforms to provide simplified terms and conditions and to educate users to better understand the risks surrounding their data. (asp/awa)

Popular

What Indonesia can learn from the Iran–Israel war

Analysis: Indonesia’s competitiveness ranking falls amid weakening fundamentals

US, Colombia recall top diplomats as rift deepens