A cybercrime Twitter channel detected on Sept 11 that the passport details of 30 million Lion Air passengers was available on the Dark Web.

On Wednesday (Sept 18), Lion Group subsidiaries Malindo Airlines and Thai Lion Air admitted that customers’ data had been compromised.

The leaked data was stored in a public cloud storage system created by Amazon Web Services, Malindo Air said.

Both airlines said they did not store payment details on their servers.

Two airlines have confirmed a leak of sensitive passenger data seven days after a cybercrime Twitter channel, named Under The Breach, detected it being shared and sold online.

The channel found that two directories of backup files for Malindo Air, Thai Lion Air and Batik Air containing over 30 million records of passport details, addresses and phone numbers had been posted by a hacker on the Dark Web.

All three are subsidiaries of Indonesia’s Lion Group.

Second database has 14 million records which include the name, date of birth, phone number, passport number and passport expiration date.

The information which was created in May, began circulating on multiple online forums as early as August 10, according to a report by Bleeping Computer, a cybercrime site.

It added that file names included references to Lion Air’s loyalty reward program and online booking service GoQuo.

On Wednesday (Sept 18), Thai Lion Air issued a statement on Facebook that it was aware of a data breach.

It clarified that it had not stored customers’ payment details on servers, and promised to “increase preventative measures” to protect customers’ data better in the future.

Malaysia’s Malindo Air also released a statement that had notified Malaysian and international authorities of the data breach.

The leaked data was stored in a public cloud storage system created by Amazon Web Services, an external data service provider, Malindo Air said.

It added that it was working with Amazon and GoQuo to investigate.

The airline also assured customers that it did not store customers’ payment details on its servers, but advised those with frequent flyer accounts to change their passwords.

The Straits Times reported that the airline declined to say how many customers had been affected by the breach.

Batik Air did not release any statements about the data breach.

