KUALA LUMPUR, Sept 18 ― Malaysia-based Malindo Air and its Indonesian parent company Lion Air suffered a massive data breach resulting in the personal data of millions of passengers being leaked onto data exchange fora last month.

The breach and leak was confirmed by Malindo Air CEO Chandran Rama Muthy and first reported by South China Morning Post (SCMP) this morning.

“We found out about this breach last week. We and a third party vendor are checking as we speak, and will come up with a statement soon.

We will advise passengers accordingly as per the investigation outcome,” he was quoted saying.

The data leak reportedly included passport details, home addresses and phone numbers of passengers, though the exact number of people affected is yet unknown.

Chandran said the airline has initiated internal investigations and has also reported the breach and leak to the Malaysian Communications and Multimedia Commission (MCMC) last Tuesday.

He added that Malindo Air will engage an independent cybersecurity firm for a full forensic analysis on the leak.

The Hong Kong daily reported that the files of passengers who flew with the airlines were uploaded and stored in an open Amazon web services bucket, a public cloud storage resource.

According to SCMP, the files ― titled “Passenger Details” or “Passengers” ― contain full names, home addresses, email addresses, dates of birth, phone numbers, passport numbers and expiration dates.

A total of four files ― two belonging to Malindo Airlines and two belonging to Thai Lion Air ― were dumped online by a figure known as “Spectre”, an operator of a dark web site on download links for leaked data.

SCMP reported that the data dump was shared on instant messaging service Telegram, as well as on cloud storage and file-hosting services such as mega.nz and openload.cc.

Batik Air, another Lion Air subsidiary based in Jakarta, Indonesia, is also reportedly affected.