One of the biggest airline in Malaysia is dealing with a very big breach, as the personal data of about five million employees and passengers has been stolen in a ransomware attack.
The attack is noteworthy not just due to the prominence of the company and the size of the breach, but the fact that the attackers felt compelled to mention that the internal network was in such a poor state that they were ceasing any further attacks against AirAsia due to some combination of sympathy and frustration.
Theft of personal data not thought to impact flight operations
The lone bright spot in this ransomware attack is that it seems to be limited to stored personal data, specifically passenger flight booking records and some sort of employee files. It does not appear to be an attack on the everyday operations of AirAsia, something that is always a concern since ransomware groups started actively targeting critical infrastructure and hospitals.
The hackers responsible claimed that they were stopping short of doing any more damage due to frustration at how “chaotic” and disorganized the company’s internal network was, and out of some sort of mercy. An odd development for a hacking squad, given the name Daixin Team, that has been known to opportunistically target hospitals with its ransomware attacks in the past year. The attackers seemed to be put off by the amount of work it took to comb through the AirAsia network looking for valuable information.
Some security experts believe that the group, which has become active and successful enough to merit a warning bulletin from US authorities, is now pivoting from the smaller hunting grounds of patient care facilities to the bigger field of critical infrastructure. The gang uses “double extortion” techniques, publishing stolen personal data on a dark web site when victims refuse to pay. The group’s primary approach appears to be scanning for known unpatched vulnerabilities in company VPN systems.
Extent of damage from AirAsia ransomware attack remains unknown
The ransomware attack apparently unfolded on November 11 and 12, with samples of employee personal data and passenger booking information leaked via the group’s dark web site several days later. It is not clear if the passenger data contains payment information, but the group claims to have stolen a vast quantity of personal information belonging to AirAsia employees. The airline has about 22,000 employees in total.
The damage may be extensive, as AirAsia is one of Malaysia’s largest airlines (with the biggest fleet of any in the country and the largest selection of domestic and international destinations). The airline carries about five million passengers annually. However, the known compromised passenger information appears to be limited to loyalty program ID numbers paired with destinations and the price of the ticket. The stolen employee personal data is more concerning, reportedly containing dates of birth, addresses and the secret questions and answers used for password recovery.