Data Breach Incident in Malaysia Airlines
By Nurul Shabilla Shaherra binti Muhammad Asri Tan (CD17058)
Discussion
a) Six Classifications: motive, target, skill level, type of security incident, role of computer and level of privilege.
Motive: the motives are due to financial reason and stole personal data.
Target: Airlines Enrich member’s names, contact addresses, birthdates, gender, frequent flyer number, rank, and personal rewards tier level were among the information leaked.
Skill Level: The airline that member data was exposed between March 2010 and June 2019 total 9 years.
Type of security incident: the type of security incident occur is data breach. Malaysia Airlines was notified of a data security incident at one of its third-party IT service providers which involved some personal data of members of Enrich.
Role of Computer: to hacking Enrich personal data that cause the members of the frequent flier Enrich were affected by the security breach. The incident had no effect on Malaysia Airlines’ IT infrastructure or network networks, according to the airline.
Level of privilege: the level of this data breach is unauthorized access that means an insider gains access to another user’s account, either by stealing it or by mistake.
b) Construct ONE (1) situation to suit in the criteria of civil case
Malaysia Airlines has reported that a third-party IT service provider was involved in a “data protection incident.” The breach had also had no effect on the carrier’s core IT infrastructure and systems, according to the firm. According to Channel Asia, the airline said that the incident happened sometime between March 2010 and June 2019.
Malaysian airlines seem to have a very long timeline for the data breach, implying that they didn’t have proper detection and alerting mechanisms in place, which may raise some questions if GDPR-relevant data was revealed. Airlines in general are a high-profile target, with easily monetizable reward data and massive amounts of data, and also a significant amount of payment data, as seen in the British Airways breach.
Based on the oddly specific nine-year window, it appears that this problem has been ongoing for the past nine years, or that it occurred nine years ago and they are only now finding it. If this is the case, a whole new set of problems arise that must be resolved from a cyber hygiene perspective.
c) Suggest two points to improve PDPA on where you see it should be improved
Suggestion 1:
Data user to implement privacy by design
Privacy by design is a philosophy that incorporates privacy into the data user’s device life cycle. There is currently no specific requirement instructing a data user to consider privacy by design during the development process of a manual or digital system in the organization. The concept of privacy by design is gaining traction as a way for data users to take proactive security steps.
Suggestion 2:
The exchange of personal data for data user with an entity
located outside Malaysia
Data users with international branches must share information with the entity at some stage. In general, Act 709 does not prohibit the transfer of personal data outside of the United States if the conditions are met [section 129]. However, security measures should be put in place to prevent data breaches during the transition.
Reflections:
Artifacts:
-, C., By, -, CISOMAGhttps://cisomag.eccouncil.org/, & Cisomag. (2021, March 3). Malaysia Airlines Discloses Data Breach that Lasted for 9 Years. CISO MAG | Cyber Security Magazine. https://cisomag.eccouncil.org/malaysia-airlines-discloses-data-breach-that-lasted-for-9-years/.
Jabatan Perlindungan Data Peribadi. (n.d.). https://www.pdp.gov.my/jpdpv2/laws-of-malaysia-pdpa/personal-data-protection-act-2010/?lang=en.
Jeff Melnick Jeff is a Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger. (n.d.). Key Lessons Learned from Data Breaches Caused by Privilege Abuse. Netwrix Blog Insights for Cybersecurity and IT Pros Key Lessons Learned from Data Breaches Caused by Privilege Abuse Comments. https://blog.netwrix.com/2017/11/09/key-lessons-learned-from-data-breaches-caused-by-privilege-abuse/.
Kobiruzzaman, A. M. M. (2021, April 28). Personal Data Protection Act 2010 (PDPA) Case Study in Malaysia. Educational Website For Online Free Learning. https://newsmoor.com/personal-data-protection-act-2010-pdpa-in-malaysia-info-case-study/.
FINAL ASSESSMENT BCN3233 