MalindoAir 2019 Data Breach

Malindo Air Malaysian Airline Breach (2019): 74 Million Passenger Records Including Passport Numbers & Loyalty Data Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Spectre (with GoQuo insider conspirators Luqman Khan + Junaid Ahmed)MisconfigurationTravel: AirDate of BirthEmail AddressFull NameGenderLoyalty Program DetailsNationality or CitizenshipPassport Number
High SeverityWebsite / service breach

Malindo Air Malaysian Airline Breach (2019): 74 Million Passenger Records Including Passport Numbers & Loyalty Data Exposed

Malaysian airline brand operating regional and international flights.

Verified by ObscureIQ Intelligence
62/100Breach Risk Index
35Data Value
25Market Recency
469dSince Breach

Breach Intelligence Summary

Entity: MalindoAir · Actor: Spectre (with GoQuo insider conspirators Luqman Khan + Junaid Ahmed) · Sources: 5 references
Attack: Misconfiguration
Profile: Company · Passenger air transportation · Commercial airline · Malaysia / Global
Timeline: Breach (2019-03-01) · Indexed (Jan 13, 2025) · Year (2019)
Exposure: 74.6M records · 10 fields: Date of Birth, Email Address, Full Name, Gender, Loyalty Program Details, Nationality or Citizenship, Passport Number, Phone Number, Physical Address, Salutation
Status: Confirmed

Executive Summary

Malindo Air, a Malaysian airline subsidiary of Indonesia's Lion Air Group, suffered a major data breach disclosed in September 2019. Passenger records also covered sister carrier Thai Lion Air and references to Batik Air, with data first spotted on dark-web forums by security researchers and circulated by a threat actor known as Spectre.\n\nInitial speculation focused on a misconfigured Amazon Web Services S3 bucket, but Malindo Air later confirmed the actual cause was an insider attack by two former employees of GoQuo (M) Sdn Bhd, the airline's e-commerce and IT services partner, working out of a development center in India. The contractors improperly accessed and stole passenger data. Public reporting variously describes the affected scope as 21 million, 35 million, or 46 million records across the impacted Lion Air Group databases, with HIBP indexing roughly 4.3 million unique email addresses from the data made available publicly.\n\nThe exposed records included names, dates of birth, gender, salutations, nationalities, home addresses, phone numbers, email addresses, passport numbers, passport expiration dates, and Malindo Miles loyalty program details. No payment-card data was exposed, since payment processing was handled separately under PCI DSS controls. For affected passengers, the practical risk is severe and durable. Passport numbers paired with name, date of birth, and address support international identity fraud, visa-application scams, and border-related impersonation. Affected travelers should treat their passport details as compromised, monitor for any unusual travel-related contact, and remain alert to phishing referencing past Malindo Air bookings or loyalty points.

ObscureIQ assessment: Exposure enables travel fraud, phishing, booking impersonation, and physical-world targeting. Itinerary and passenger data can also reveal movement patterns and likely absence from home.

Breach Impact

The 2019 incident drew formal regulatory attention from Malaysian authorities and triggered cross-border police investigation in India, where the implicated former contractors had been based. Public reporting has not surfaced specific fine amounts, settlements, or class-action outcomes tied to the incident, although Malaysia's Personal Data Protection Act framework was active at the time. The airline absorbed measurable reputational damage and an extended period of customer concern, particularly given the inclusion of passport data. Operationally, Malindo Air reset Malindo Miles passwords as a precaution and tightened controls over data access by third-party contractors. The breach contributed to broader Asia-Pacific scrutiny of airline-vendor data handling.

About MalindoAir

Malindo Air is a Malaysian commercial airline operating regional and international flights from its base in Kuala Lumpur. It is a subsidiary of Lion Air Group, the Indonesia-headquartered low-cost carrier conglomerate that also owns Thai Lion Air, Batik Air, and several other Southeast Asian carriers. The airline operates a fleet of narrow-body and turboprop aircraft, focusing on routes within Malaysia and to neighboring countries in Southeast Asia, South Asia, and Australia. Customer-facing systems include online booking, passenger management, the Malindo Miles loyalty program, and partner integrations with travel-services providers.

Why They Hold Your Data

Commercial airlines collect passenger identity, contact details, booking records, payment-adjacent information, itinerary data, and loyalty or support records across flight operations and customer-service systems.

Recent Developments

Malindo Air rebranded to Batik Air Malaysia in 2022 as part of a Lion Air Group consolidation, although legacy customer data from the Malindo Air period continues to circulate in breach-tracking databases under the original name. The airline cooperated with Malaysian authorities including the Personal Data Protection Commissioner and the National Cyber Security Agency in the wake of the 2019 incident and reported the matter to police in Malaysia and India. There have been no further publicly disclosed major breaches of the airline since 2019. The 2019 dataset has appeared on multiple data-trading forums and continues to be referenced by HIBP and other breach-tracking services.

Data Points Exposed

10 verified field types
Date of Birth High
Email Address
Full Name High
Gender
Loyalty Program Details
Nationality or Citizenship High
Passport Number Critical
Phone Number
Physical Address High
Salutation

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Identity verification bypass using name + date of birth combination
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Profile enrichment
  • Loyalty point theft & account takeover
  • Targeted visa & government scams
  • International identity fraud & border exploitation
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat
  • Professional impersonation seeding

Threat Actor: Spectre (with GoQuo insider conspirators Luqman Khan + Junaid Ahmed)

Spectre (with GoQuo insider conspirators Luqman Khan + Junaid Ahmed)
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
IdentityTheft.gov
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the MalindoAir breach?

Malindo Air, a Malaysian airline subsidiary of Indonesia's Lion Air Group, suffered a major data breach disclosed in September 2019. Passenger records also covered sister carrier Thai Lion Air and references to Batik Air, with data first spotted on dark-web forums by security researchers and…

What data was exposed?

Verified fields include Date of Birth, Email Address, Full Name, Gender, Loyalty Program Details, Nationality or Citizenship, Passport Number, Phone Number, Physical Address, Salutation.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
Dehashed
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation