Malaysia Airlines disclosed a 9-year frequent flyer data breach.
A third-party technology provider was at the heart of the breach. The third-party was in charge of the airline's Enrich rewards program from March 2010 to June 2019.
Unfortunately, PII was exposed: member names, contact information, dates of birth, gender, frequent flyer numbers, and status and rewards tier level.
In one of several responses on Twitter, Malaysia confirmed: "The data security incident occurred at our third-party IT service provider and not Malaysia Airlines' computer systems. However, the airline is monitoring any suspicious activity concerning its members' accounts and in constant contact with the affected IT service provider to secure Enrich members' data and investigate the incident's scope and causes."
Stuart Barwood, Director of Global Airline Strategy, Forter shares his insights on the incident:
“Fraud protection is particularly critical for airlines, who are trusted with both personal data and loyalty points with significant monetary value. As we’ve seen with various supply chain attacks, this means not only preventing fraudsters from accessing accounts directly, but also from third-party data breaches. However secure airlines’ own infrastructure, breaches can occur outside of their direct control when working with third party partners and suppliers.
While third party breaches like this are a major concern, they continue be challenging to prevent altogether. Airlines need to think beyond security and implement measures to minimize damage as well. Loyalty fraud prevention systems can stop access by bad actors and make monetization of stolen data much more difficult.”