Malaysia Airlines was notified of a data security incident at one of its third-party IT service providers which involved some personal data of members of Enrich, Malaysia Airlines’ Frequent Flyer Programme between the period of March 2010 and June 2019, according to an email letter sent by the airline to its Enrich members. “The incident did not affect Malaysia Airlines’ own IT infrastructure and systems in any way,” said the statement.
The personal data involved in the incident included Enrich member names, date of birth, gender, contact details, frequent flyer number, frequent flyer status and frequent flyer tier level, revealed the airline. It did not include any information about itineraries, reservations, ticketing, or any ID card or payment card information, it claimed.
“Malaysia Airlines has no evidence that any personal data has been misused and the incident did not disclose any account passwords. We are nevertheless encouraging Enrich members to change their account passwords as precautionary measure.”
The letter also included contact information of its Data Privacy Officers whom the Enrich members could email for further guidance.
Florian Thurmann, Technical Director, EMEA, Synopsys Software Integrity Group, commented on the breach, saying that many organisations don’t see the full picture of what their third-party vendors do with their critical data and systems.
“For example, if a vendor uses a shared account to access your corporate network, your organisation won’t be able to determine which of their employees has made a given change in the system. This lack of visibility, control, and security insight leaves a critical blind spot. Every organisation has the responsibility to ensure their software supply chain vendors meet your cybersecurity policy requirements,” he remarked.
“As we’re seeing in the case of Malaysia Airlines, even when a data breach takes place within a vendor’s systems, it’s the responsibility of the airline to ensure the privacy of their customers’ data. This isn’t only the case for airlines, but for organisations across all industries. For this reason, it’s critically important to ensure your vendors take security as seriously as your organisation, if not more.”