Malaysia Airlines sent out an email to frequent flyer program members assuring them that there’s “no evidence” their personal data has been misused in the wake of a supply-chain attack via a third-party vendor.
However, experts think that’s unlikely. And, they say the repercussions could be significant.
Malaysia Airlines’ frequent flyer program, Enrich, was breached sometime around March 2010 — and remained exposed until June 2019, leaving thousands of members’ personal data, including name, date of birth, gender, contact information, ID number, status and tier level unprotected, an email sent out to members from the company said.
Malaysia Airlines hasn’t released a formal statement, but its official Twitter account @MAS offered some explanation in a Mar. 1 response to a user, linking to news of the breach.
“…The data security incident occurred at our third-party IT service provider and not Malaysia Airlines’ computer systems.” the airline’s account responded. “However, the airline is monitoring any suspicious activity concerning its members’ accounts and in constant contact with the affected IT service provider to secure Enrich members’ data and investigate the incident’s scope and causes.”
A subsequent tweet from the airline added, “Kindly note that Malaysia Airlines has no evidence that the incident affected any account passwords. We nevertheless encourage members to change their passwords as a precautionary measure.”
Threatpost’s requests for comment from Malaysia Air’s press and privacy offices have not yet received a response.
The Threat of Breached Malaysia Air Data
Stolen personal data collected from sources like loyalty programs can be pieced together with other details to create a full, incredibly detailed profile of a victim, which can be used in attacks ranging from socially engineered spear-phishing campaigns to straightforward fraud.
The attackers’ persistence demonstrates how much value they saw in the Malaysia Air data, Purandar Das, CEO of security firm Sotero, said — along with showcasing a lack of defenses.
“This stolen data forms a part of the consumer’s profile that is created by data stolen from many locations,” Das explained. “The fact that this breach happened over a long period of time without detection indicates the lack of security at the service provider.”
Das added the hackers likely wouldn’t have hung around if they weren’t using the stolen personal details for profit.
“It is also unlikely that this data was not used for wrong reasons if the breach lasted as long it did,” he said. “If the data was useless, the hackers would have moved on. It is time for organizations to take control of their data and its protection, even when it is in the hands of service providers.”
Airlines are an ideal target for bad actors trying to build these intricate consumer profiles.
“Airlines in general are a high-profile target, with loyalty data that can be easily monetized, and huge volumes of data, including often a large volume of payment data, as was seen in the British Airways breach,” Andrew Barratt, cybersecurity advisor with Coalfire, told Threatpost.
Why the Timeframe Matters
First, Barratt told Threatpost the nine-year window offered by Malaysia Air for the exposure tells him the service provider lacked any kind of regular security monitoring that would have helped pinpoint the attack timing.
He added that the airline could face regulatory repercussions too, since the high-profile 2014 disappearance of Malaysia Air 370 was within that timeframe.
“The question here is whether it happened within the nine-year period and they did not disclose until now or if it happened within the nine years and they just found out now,” Brandon Hoffman from Netenrich told Threatpost by email. “Based on the oddly specific, nine-year window, it seems likely that this issue persisted for all the nine years, or happened nine years ago, and they are just discovering it. If that turns out to be the case, then there is a whole different set of issues and that need to be addressed from a cyber-hygiene perspective.”
Third-Party Service Providers Are Easy Cyber-Targets
Malaysia Air is just the latest organization to fall prey to a supply chain attack of a third-party IT service provider.
“This seems like the inflection point of two themes at the moment – a continued assault on third-party service providers, that are then leveraged to gain access to other parties and high-profile businesses that perhaps don’t have the appropriate third-party review programs in place,” Barratt said.
In the recent attack on SolarWinds, threat actors used trojanized updates to access some of the most sensitive data available within the United States government. FTA, a file-sharing service from Accellion was meanwhile weaponized against its biggest customers starting last December, including law firm Jones Day, with more victims likely to surface in the months to come, according to experts.
Third-party service providers are and will continue to be a prime point of attack for cybercriminals.
“The reason is fairly simple. Service providers are less organized in terms of security,” Das said. “Their infrastructure is less secure and more easily penetrated. Hackers target them knowing that their access to potentially valuable data is easier [to crack]. ”
Basic due diligence, continuous monitoring and an increased focus on vendor security are critical to staving off this type of attack, Chris Clements from Cerberus Sentinel explained.
“One of the worst aspects of supply chain attack compromises is that it can be even harder to detect than a direct breach of an organization,” Clements said. “Now more than ever, businesses need to fully vet and actively manage vendors who may be able to access sensitive systems or data.”