Malaysia Airlines has suffered a data breach spanning nine years that exposed the personal information of members in its Enrich frequent flyer program.
Starting yesterday, Malaysia Airlines began emailing members of their Enrich rewards program to disclose that they were affected by a data breach.
According to Malaysia Airlines, the breach occurred at a third-party IT service provider who notified the airline that member data was exposed between March 2010 and June 2019.
“Malaysia Airlines was notified of a data security incident at one of its third-party IT service providers which involved some personal data of members of Enrich, Malaysia Airlines’ Frequent Flyer Programme between the period of March 2010 and June 2019. The incident did not affect Malaysia Airlines’ own IT infrastructure and systems in any way.”
The member information exposed during the data breach includes member names, contact information, date of birth, gender, frequent flyer number, status. and rewards tier level.
The exposed data did not include Enrich member’s itineraries, reservations, ticketing, or any ID card or payment card information.
While Malaysia Airlines says that no passwords were exposed and there is no evidence of misuse, the airline recommends that users change their passwords anyway.
It is unknown how many Enrich members were affected by this breach.
BleepingComputer has contacted Malaysia Airlines with further questions but has not heard back.
What should Malaysia Airlines Enrich program members do?
If you are a member of the Enrich program, you should immediately login to your account and change your password. If this password is utilized at other sites, it should be changed there as well.
Malaysia Airlines further warned that it would not be contacting members about updating their information over the phone.
Therefore, if you receive a phone call from Malaysia Airlines about this breach or asking for further information, you should be immediately suspicious and hang up the call.
It is common for threat actors to use data found in data breaches to perform malicious attacks, and all Enrich members should be wary of emails, texts, and calls from the airline.