Malaysia Airlines reported suffering a data breach compromising information belonging to members of its frequent flyer program. It is believed that the breach occurred roughly nine years ago. The airline has notified its members by email that the breach took place at its third-party IT supplier. Cybersecurity experts reacted below on the danger of third-party partners and why it took so long for the airline to detect the breach.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>While this information may seem fairly benign, it serves as the basis for establishing an individual’s identity on any number of other systems. Thus, it can be used to create fraudulent accounts, it can be leveraged to gain unauthorized access to existing accounts, and it can be used to create phishing activity targeted at these individuals. The phishing implications cannot be overlooked, as the better an attack is able to target an individual using real information, the more successful it will be.</p>
<p>Within society, any time we provide any information about ourselves to another organization, there is an expected level of privacy. When data is provided to organizations for reward programs, the possibility of that organization being attacked and having data stolen is a risk.</p> <p> </p> <p>Within an organization\’s robust security program, along with a layered defense within the network and environment for the protection of sensitive information, it is essential to conduct red team or pen testing exercises. This activity provides the opportunity to discover weaknesses and take corrective actions to reduce the risk of an attack. </p> <p> </p> <p>When working with third-party organizations for providing services, it is vital to conduct the necessary audits and periodic reviews to ensure that the third party is not the weakest link in your security chain.</p>
<p>It is extremely concerning that a data security incident belonging to one of the world’s major airlines has gone completely unnoticed for this length of time. Data security should be a priority for all organisations today and scanning for threats across all systems, both inhouse and third-party, is essential, especially when they hold confidential customer information. The most important thing for Malaysia Airlines to do now is communicate everything it knows about the attack to customers and shareholders and try to establish the full impact of how many customers were affected and what data was put at risk. Transparency is key in this situation.</p>
<p>The Malaysia Airlines breach is further proof that addressing data breaches that occur outside the corporate firewall is vital to managing your third-party risk. As more organisations turn to cloud providers for everything from infrastructure to apps, to support employees, save money and enable digital transformation, they are expanding their attack surface exponentially.<u></u><u></u></p> <p> </p> <p>Organisations must constantly scan for leaked documents outside the enterprise perimeter, including connected storage, open databases, cloud applications and the Dark Web to uncover confidential and sensitive data quickly, before it is exploited.</p>
<p>Unfortunately, the Malaysia Airlines breach is a reminder how many more strides need to be made before we can put all defenders on higher ground from the cyber attackers. It isn\’t acceptable to hear that the airline thinks the breach could have happened sometime between 2010-2019. Total transparency is needed and they need to hone in on more specific details and be completely transparent with Enrich members. I guarantee members were shocked, as I was, to hear that their personal information has been in the wild for more than nine years. It is beyond unacceptable. In the short term, Enrich members need to stay on top of their credit reports, check their bank statements regularly and frequently update their passwords. For Malaysia Airlines, they can come out of this either the hero or the villain. They can\’t be the victim. I suggest the hero by being honest, open and transparent about the immediate remediation steps they are taking and the preventative measures they are putting in place to protect Enrich members in the future.</p>