Malaysia's Malindo Air confirms passenger data breach

Malaysia's Malindo Air, a subsidiary of Indonesia's Lion Group, said on Wednesday it was investigating a data breach involving the personal details of its passengers.

Malindo Air's statement followed a report by Moscow-based cybersecurity firm Kaspersky Lab that the details of around 30 million passengers of Malindo and fellow Lion Group subsidiary Thai Lion Air were posted in online forums. The report said the leaked information included passengers' passport details, addresses and phone numbers.

Lion Group and Thai Lion Air could not immediately be reached for comment.

Malindo Air said it was notifying authorities internationally about the incident and advised customers with online frequent flyer accounts to change their passwords.

It declined to provide more detail on its investigation, including how many customers were affected, but said it did not store any customer payment details on its servers.

"We are in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia," it said in a statement. "Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident."

The files were uploaded and stored in an open Amazon Web Services (AWS) bucket, a public cloud storage resource. AWS, which is an external data service provider for Malindo, was not immediately available for comment.

Kaspersky said parts of the leaked databases were up for sale on the dark web.

Lion Air received global attention in October when one of its new Boeing 737 MAX jets crashed into the Java Sea, killing all 189 passengers and crew on board.