A 3rd-party IT provider exposed valuable airline data that experts say could be a treasure-trove for cyber-criminals.
Malaysia Airlines sent out an email to frequent flyer program members assuring them that there’s “no evidence” their personal data has been misused after a supply-chain attack via a 3rd-party vendor.
However, experts believe that unlikely. They say the repercussions could be significant.
Frequent Flyer Program
Malaysia Airlines’ frequent flyer program, Enrich, was breached around Mar. 2010 & remained exposed until June 2019, leaving 1,000s of members’ personal data, including name, date of birth, gender, contact information, ID number, status & tier level unprotected, an email sent out to members from the company said.
Malaysia Airlines has not released a formal statement, but its official Twitter account @MAS offered some explanation in a Mar. 1 response to a user, linking to news of the breach.
Statement
“…The data security incident occurred at our 3rd-party IT service provider & not Malaysia Airlines’ computer systems.” the airline’s account responded. “However, the airline is monitoring any suspicious activity concerning its members’ accounts and in constant contact with the affected IT service provider to secure Enrich members’ data and investigate the incident’s scope & causes.”
A further tweet from the airline added, “Kindly note that Malaysia Airlines has no evidence that the incident affected any account passwords. We nevertheless encourage members to change their passwords as a precautionary measure.”
Malaysia Air Data
Stolen personal data collected from sources like loyalty programs can be pieced together with other details to create a full, incredibly detailed profile of a victim, which can be used in attacks ranging from socially engineered spear-phishing campaigns to straightforward fraud.
The attackers’ persistence demonstrates how much value they saw in the Malaysia Air data, Purandar Das, CEO of security firm Sotero, commented — along with showcasing a lack of defences.
“This stolen data forms a part of the consumer’s profile that is created by data stolen from many locations,” Das explained. “The fact that this breach happened over a long period of time without detection indicates the lack of security at the service provider.”
Take Control of their Data
Das added the hackers likely would not have stayed around if they were not using the stolen personal details for profit.
“It is also unlikely that this data was not used for wrong reasons if the breach lasted as long it did,” he observed. “If the data were useless, the hackers would have moved on. It is time for organisations to take control of their data & its protection, even when it is in the hands of service providers.”
Airlines are an ideal target for bad actors trying to build these intricate consumer profiles.
“Airlines in general are a high-profile target, with loyalty data that can be easily monetized, & huge volumes of data, including often a large volume of payment data, as was seen in the British Airways breach,” Andrew Barratt, Cyber-Security Advisor with Coalfire, commented.
Timeframe
Barratt outlined that the 9-year window offered by Malaysia Air for the exposure tells him the service provider lacked any kind of regular security monitoring that would have helped pinpoint the attack timing.
He added that the airline could face regulatory repercussions too, since the high-profile 2014 disappearance of Malaysia Air 370 was within that timeframe.
“The question here is whether it happened within the 9-year period & they did not disclose until now or if it happened within the 9 years & they just found out now,” Brandon Hoffman from Netenrich explained.
“Based on the oddly specific, nine-year window, it seems likely that this issue persisted for all the 9 years, or happened 9 years ago, & they are just discovering it. If that turns out to be the case, then there is a whole different set of issues and that need to be addressed from a cyber-hygiene perspective.”
Third-Party Service Providers
Malaysia Air is the latest organisation to become the target of a supply chain attack of a 3rd-party IT service provider.
“This seems like the inflection point of 2 themes at the moment – a continued assault on 3rd-party service providers, that are then leveraged to gain access to other parties & high-profile businesses that perhaps don’t have the appropriate third-party review programs in place,” Barratt observed.
Most Sensitive Data
In the recent attack on SolarWinds, threat actors used trojanized updates to access some of the most sensitive data available within the US Govt. FTA, a file-sharing service from Accellion was meanwhile weaponised against its biggest customers starting last Dec., including law firm Jones Day, with more victims likely to surface in the months to come, according to experts.
3rd-party service providers are & will continue to be a prime point of attack for cyber-criminals.
“The reason is fairly simple. Service providers are less organised in terms of security,” Das observed. “Their infrastructure is less secure & more easily penetrated. Hackers target them knowing that their access to potentially valuable data is easier to crack. ”
Due Diligence
Basic due diligence, continuous monitoring & an increased focus on vendor security are critical to staving off this type of attack, Chris Clements from Cerberus Sentinel explained.
“One of the worst aspects of supply chain attack compromises is that it can be even harder to detect than a direct breach of an organisation,” Clements stated. “Now more than ever, businesses need to fully vet & actively manage vendors who may be able to access sensitive systems or data.”
