It boggles the mind, but when a national carrier downplays a massive data breach, there is more than meets the eye.

Data security incidents are taken so seriously nowadays that the incumbent firms are fined heavily and put under heavy scrutiny by customers and stakeholders at every level. The reputational and brand damage can be crippling, given the current global economic situation.

Now, imagine a cybersecurity incident that actually lasted nine years without being detected! As disclosed by Malaysia Airlines itself, the breach involved the private data of members of its frequent flayer program Enrich.

The breach happened between March 2010 and June 2019 and breached personal data included names, dates of birth, contact information, and various frequent flyer data such as number, status, and tier level may have been compromised.  Data that was supposedly not breached included flight itineraries, reservations, ticketing, ID card numbers, and payment card details.

How did it fester so long?

According to the airline’s email to affected customers this month, the breach involved a third-party IT service provider, but “did not affect” the carrier’s own IT infrastructure as well as system. Additionally, it said that “there is no evidence so far that suggests the information involved in the data incident has been used elsewhere.”

The carrier has since recommended all affected members to change their passwords even though account passwords had supposedly not been part of the nine-year-long breach.

The question on everyone’s mind is, how could this incident have taken place for so many years? When disclosing the incident, the carrier did not do so on its official communications channels, but discreetly notified people via private emails.

With such untransparent corporate behavior, the question will likely remain unanswered until the authorities are pressured to investigate the incident and mandate full disclosure. However, experts in the cybersecurity industry have said the extraordinary period of the breach is troubling. One observer noted that if the data was not of use early on in the breach, then hackers would have abandoned the exercise long before nine years were up.

Reactions from various experts have ranged from astonishment to puzzlement to disdain, because of the obvious absence of cybersecurity hygiene that leads to such a long period of breach. Also, it is a telling reminder that laws around disclosure-time and transparency need to be tightened.

No liability: blame the external vendor?

Another expert, Florian Thurmann, Technical Director (EMEA), Synopsys Software Integrity Group, said
many organizations do not see the full picture of what their third-party vendors do with their critical data and systems: “For example, if a vendor uses a shared account to access your corporate network, your organization won’t be able to determine which of their employees has made a given change in the system. This lack of visibility, control, and security insight leaves a critical blind spot. Every organization has the responsibility to ensure software supply chain vendors meet your cybersecurity policy requirements.”

Apparently, this oversight was left unchecked for years in Malaysia Airlines. “Even when a data breach takes place within an external vendor’s systems, it’s the responsibility of the airline to ensure the privacy of their customers’ data. This isn’t only the case for airlines, but for organizations across all industries. For this reason, it’s critically important to ensure vendors take security as seriously as your organization, if not more,” Thurmann reiterated.

In that regard, the airline has broken the recommended protocol for open and full disclosure in data breaches. Could its lackluster public relations in this matter have been due to the fact that its external vendor was the main cause? Too bad, data protection authorities will not see it that way. Historical legal evidence already points to more severe punitive fines for organizations that are replete in breach disclosure.

Could the breach have already been discovered earlier but suppressed due to its unfortunate timing alongside the mysterious MH370 incident in 2014? Or did the IT team in the carrier really only discover the breach recently. Even with further official announcements in future, we may never know what actually happened.

Given that the carrier’s survival hangs in the balance, with political support for a bailout dimming in October 2020, we will leave it to readers’ imagination as to how this massive breach incident will be the last straw or death blow.  

In the meantime, organizations not only need to step up measures to enforce vendor security standards, but also address responsible and ethical public relations and crisis communications protocols.