KUALA LUMPUR: Malaysia Airlines Bhd has experienced a data security "incident", which may have compromised personal information of its Enrich frequent flyer programme as far as March 2010.
Enrich members were notified by an email on Monday that personal data including their name, date of birth, contact information and various frequent flyer data such as number, status and tier level might have been compromised.
"Malaysia Airlines was notified of a data security incident at one of its third-party IT service providers which involved some personal data of members of Enrich, Malaysia Airlines' Frequent Flyer Programme between the period of March 2010 and June 2019," the email said.
"The personal data involved in the incident included Enrich member names, date of birth, gender, contact details, frequent flyer number, frequent flyer status and frequent flyer tier level. It did not include any information about itineraries, reservations, ticketing, or any ID card or payment card information," it added.
Malaysia Airlines, in the email, said it had no evidence that any personal data had been misused, and that "the incident did not disclose any account passwords."
The national carrier assured that the incident did not affect its IT infrastructure and systems.
Malaysia Airlines, nevertheless, encouraged Enrich members to change their account passwords as precautionary measure.
It will not contact members with regard to updating their personal information via telephone call.
"Members can require further guidance on how to protect their personal information and enquire to MAB Data Privacy Officer at syedzafarullah.abduljaafar@malaysiaairlines.com or anisizzaty.razman@malaysiaairlines.com," it said.
When contacted on whether it would issue a statement yesterday, a Malaysia Airlines spokesperson said: "Not at the moment. We've reached out to customers directly."
Meanwhile, Synopsys Software Integrity Group technical director Florian Thurmann said many organisations did not see the full picture of what their third-party vendors had done with their critical data and systems.
"For example, if a vendor uses a shared account to access your corporate network, your organisation would not be able to determine which of their employees has made a given change in the system," Thurmann said in a statement today.
The lack of visibility, control, and security insight led to a critical blind spot, he added.
"Every organisation has the responsibility to ensure their software supply chain vendors meet your cybersecurity policy requirements."
Thurmann added that even when a data breach had taken place within a vendor's systems, it was the responsibility of the airline to ensure the privacy of their customers' data.
"This is not only the case for airlines, but for organisations across all industries. For this reason, it is critically important to ensure your vendors take security as seriously as your organisation, if not more," he said.