Gobind to review facts on Malindo data breach


THE Ministry of Communications and Multimedia is expected to investigate the recent Malindo Airways Sdn Bhd data breach which has exposed the personal details of millions of its passengers.

Minister Gobind Singh Deo (picture) said he has sought a full report regarding the matter.

“It is important that I review the full facts before making a statement, especially the case is currently being investigated,” he told the press at the National Fiberisation and Connectivity Plan (NFCP) 2019-2023 launch in Putrajaya yesterday.

The breach resulted in passengers’ information including passport details, home addresses and phone numbers being leaked through online data exchange forums.

The local unit of Indonesian low-cost carrier PT Lion Mentari Airlines (Lion Air) said in-house teams together with external data service providers Amazon Web Services Inc and GoQuo — an e-commerce partner — are investigating the matter.

Gobind did not say when the report would conclude, but hoped that the study could be done as soon as possible.

“I hope they will speed up with the report as this is a very important matter. Many are concerned over the issue of security,” he said.

On Wednesday, Malindo Air CEO Chandran Rama Muthy confirmed the leak.

He said the airline is amid investigation and had already contacted the Malaysian Communications and Multimedia Commission on Tuesday.

Malindo — a subsidiary of Lion Air — operates from two airports in Kuala Lumpur and has a network of about 40 routes across the region.

Data leaks have been a worrying trend lately.

Malindo was the latest victim, less than 28 days from the last reported case involving Astro Malaysia Holdings Bhd, where the media group customers’ MyKad data were exposed.

Astro had recently discovered the unauthorised access to its subscribers’ MyKad data such as their names, identity card numbers, birth dates, genders and addresses.

Following the increase of data breach cases over recent years, legal and cyber-security experts are calling for data breach mandatory disclosure regulation to be introduced in Malaysia.

“There should be a data breach notification law. Data subjects have the right to know that their information has been compromised and take steps to secure the data,” Bar Council’s information technology and cyber laws committee deputy chairman Foong Cheng Leong told The Malaysian Reserve in an earlier report.

He added that the Personal Data Protection Commissioner had introduced a consultative paper to propose the mandatory disclosure, but the progress has been muted so far.

Currently, parties suffering from a data leak in Malaysia are not obliged to notify the authorities or the victims.

“In Europe, under the general data protection regulation, any companies including foreign firms with an office and/or serve the European region are required to lodge a report of any data breach within 72 hours.

“Organisations face the risk of a fine up to 4% of global revenue in the event of a data breach,” Foong said.