Malaysia Airlines has emailed the members of its Enrich frequent flyer scheme to admit an embarrassing blunder. For one month, the personal data of Enrich members was compromised. The issue occurred at one of Malaysia Airlines’ third-party IT service providers. The airline says there’s no evidence of misused personal data. Nonetheless, Malaysia Airlines is asking its frequent flyers to change their password.
“Malaysia Airlines was notified of a data security incident at one of its third-party IT service providers which involved some personal data of members of Enrich, Malaysia Airlines’ Frequent Flyer Programme between the period of March 2010 and June 2019,” the email to Enrich members on Monday said.
“The personal data involved in the incident included Enrich member names, date of birth, gender, contact details, frequent flyer number, frequent flyer status, and frequent flyer tier level. It did not include any information about itineraries, reservations, ticketing, or any ID card or payment card information.”
Many unanswered questions about a potential data breach at Malaysia Airlines
Exactly what happened isn’t clear. It may have been a long-running vulnerability in the IT architecture. It may have been an employee or contractor downloading member information.
Other than emailing members, Malaysia Airlines has had little to say about the incident. However, the airline has acknowledged the incident on social media.
“The data security incident occurred at our third-party IT service provider and not Malaysia Airlines’ computer systems,” Malaysia Airlines’ official Twitter feed says.
>> monitoring any suspicious activity concerning its members' accounts and in constant contact with the affected IT service provider to secure Enrich members' data and investigate the incident's scope and causes. -JJ
— Malaysia Airlines (@MAS) March 1, 2021
“The airline is monitoring any suspicious activity concerning its members’ accounts and in constant contact with the affected IT service provider to secure Enrich members’ data and investigate the incident’s scope and causes.”
Malaysia Airlines has not revealed how many of its Enrich members this incident impacts. Nor has the airline revealed the identity of the third-party IT service provider. Simple Flying has contacted Malaysia Airlines for further information regarding the incident.
Airline frequent flyer programs open to attack
While the publicity is embarrassing for Malaysia Airlines, it isn’t the first airline to see its frequent flyer’s personal data leave the building. In 2016, hackers stole US$24,000 worth of Air India miles. The hackers diverted miles from real accounts to accounts held in false names. The escapade caused significant embarrassment at Air India.
It’s not just Asian airlines that are vulnerable. Millions of frequent flyer miles have been stolen from big-name airlines like United and American. Last year, the FBI arrested six people for hacking into United States-based frequent flyer accounts and then using those stolen points to sell flights to unsuspecting punters.
There lies a potential threat for Enrich frequent flyer members. You don’t need a lot of personal data to access a person’s frequent flyer account. Enrich members with big points balances are potentially at risk. Perhaps that why, despite saying passwords weren’t compromised, Malaysia Airlines is encouraging Enrich members to change their account passwords. It also suggests Enrich members be wary of unsolicited contact from the airline or someone purporting to be from the airline.
Does this IT incident at Malayasia Airlines surprise or concern you? Post a comment and let us know.