What businesses can learn from Malindo’s data breach incident
Malindo Airline’s passenger data were exposed at the data exchange forum. The subsidiary of Lion Group did not mention the amount of leaked data. However, a Twitter account @underthebreach revealed that the first database contained 21 million passengers’ data and the second one contained 14 million data. The leaked data is stored on a public cloud storage created by Amazon Web Service (AWS). The data had been leaked for a month, but Malindo only learned of the incident last week.
Complying with the Malaysia Personal Data Protection Act 2010, Malindo Air along with AWS and GoQuo – Malindo’s e-commerce contractor – investigated the incident soon after the leak was discovered with the assistance of a cybercrime consultant. AWS Singapore claimed that there was no further vulnerability in their cloud systems. The final investigation revealed that two former employees of GoQuo were behind the data breach.
Quoted from Reuters (09/23), Malindo stated that the former employees at their development center in India had improperly accessed and stolen passenger data. Malindo has reported and submitted the legal process of the two perpetrators to Malaysian authorities.
However, the problem did not just end. There is a potential impact that will be faced by every victim of a data breach, which is the loss of consumer trust.
The 2019 Cost of a Data Breach Report found that the loss of consumer trust caused severe financial consequences for businesses. The loss of consumers is also the most significant factor that contributes to costs due to data breaches.
The report states that the average loss incurred by the company in the study was 1.42 billion US dollars, which is 36% of the total average cost of 3.92 billion US dollars.
What can businesses do?
What we can learn from the Malindo case is that third parties or vendors, on the one hand, have an essential role in business development, but on the other hand, carry risks. A recent study states that the most expensive cybersecurity incident is related to cloud and data protection provided by vendors.
However, at least there are several efforts to mitigate data breaches that businesses can do, including:
1. Know Your Vendor. Companies need to know who their potential vendors are, including knowing what companies are in the vendor’s network.
2. Enhancing cybersecurity. Cybersecurity is a sophisticated security system that requires its practitioners’ persistence and discipline to update and implement knowledge about the system continually. From the report, it is known that extensive encryption is a form of security-related effort that has the most significant impact in minimizing losses.
3. Continuous vendor assessment
Assessment on vendors is a necessary routine to minimize any risks which emerge from changes. Instead of using conventional monitoring, continuous cybersecurity monitoring is the most efficient way to ensure that company data is protected from time to time and to manage relationships with third parties.