Malaysia Airlines has notified its frequent flyer members of a security incident via a third-party IT service provider. According to an email sent to Enrich members on Monday 1 March, the airline advised that the incident took place over a nine-year period between March 2010 and June 2019. They did not, however, disclose the number of individuals impacted. The breached data includes Enrich member names, date of birth, gender and contact details, in addition to frequent flyer number, status and tier level information.
Just a few days after this incident, Singapore Airlines reportedly announced that over 580,000 KrisFlyer and PPS members had been affected by a data breach. The breach involved the passenger service system servers of SITA, an air transport information technology company.
The Guru reached out to several cybersecurity experts to get their thoughts on the news.
Florian Thurmann, Technical Director, EMEA, Synopsys Software Integrity Group:
“Many organizations don’t see the full picture of what their third-party vendors do with their critical data and systems. For example, if a vendor uses a shared account to access your corporate network, your organization won’t be able to determine which of their employees has made a given change in the system. This lack of visibility, control, and security insight leaves a critical blind spot. Every organization has the responsibility to ensure their software supply chain vendors meet your cybersecurity policy requirements.
As we’re seeing in the case of Malaysia and Singapore Airlines, even when a data breach takes place within a vendor’s systems, it’s the responsibility of the airline to ensure the privacy o ..