Malaysia Airlines Berhad has disclosed a data breach that involved the theft of data from its frequent flyer program, but in a twist on a standard data theft story, the airline said the breach spanned nine years.

The data breach involved a third-party information technology service provider that was tasked with running the airline’s Enrich rewards program for a period running from March 2010 to June 2019. The data exposed included member names, contact information, dates of birth, gender, frequent flyer numbers, and status and rewards tier level.

Malaysia Airlines noted that the exposed data did not include itineraries, reservations, ticketing or any ID card or payment information. While also adding that no passwords are believed to have been exposed, the airline is recommending Enrich members change their passwords as a precaution.

Although the form of the data breach is unknown, Channel Asia noted today that it comes a month after Singapore Telecommunications Ltd. disclosed it had suffered a data breach. The Singtel data breach was another on a list of thefts of data related to a vulnerability in software from Accellion Inc. that is known to include Bombardier Inc., Jones Day and the Office of the Washington State Auditor,

“Malaysia Airlines seems to have a really broad time frame for the data breach, indicating that they probably didn’t have adequate monitoring and alerting systems in place, which may pose some concerns for them if there is GDPR relevant data exposed,” Andrew Barratt, managing principal, solutions and investigations at cybersecurity advisory firm Coalfire Systems Inc., told SiliconANGLE. “Airlines in general are a high profile target, with loyalty data that can be easily monetized and huge volumes of data including often a large volume of payment data as was seen in the British Airways breach.”

Purandar Das, chief executive officer and co-founder of encryption-based security company Sotero Inc., noted that organizations continue to be hurt by third-party service providers that don’t have enough protection.

“The reason is fairly simple,” Das said. “Service providers are less organized in terms of security. Their infrastructure is less secure and more easily penetrated. Hackers target them knowing that their access to potentially valuable data is easier.”

Photo: Channelsking/Wikimedia Commons