DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

AirAsia victim of ransomware attack, passenger and employee data acquired

Posted on November 19, 2022 by Dissent

AirAsia Group* pledges to be responsible when gathering personal information and to protect privacy “in every possible way.” That’s not a contract, mind you, but just an expression of their commitment.

On November 11 and 12, AirAsia Group fell victim to a ransomware attack by Daixin Team. The threat actors, who were the topic of a recent CISA alert, informed DataBreaches that they obtained the personal data of 5 million unique passengers and all employees.

DataBreaches was provided with two .csv files that Daixin Team also provided to AirAsia Group. One file contained information on named passengers. The second file contained employee information with numerous fields that included name, date of birth, country of birth, location, date employment started, their “secret question,” “answer,” and salt.

Redacted screenshot from spreadsheet with employee information.
A .csv file with what appears to be employee data contained numerous fields with personal and work-related information, redacted by DataBreaches.net.

According to Daixin’s spokesperson, AirAsia responded to the attack. They reportedly entered the chat quickly, asked Daixin’s negotiator for an example of the data, and after receiving the sample, “asked in great detail how we would delete their data in case of payment.”  AirAsia reportedly did not try to negotiate the amount, which may indicate that they never had any intention of paying anything. ‘Usually everyone wants to negotiate a smaller amount,” the spokesperson told DataBreaches. DataBreaches does not know how much Daixin Team demanded to provide a decryption key, delete all data they had exfiltrated, and inform AirAsia Group of the vulnerabilities that had been found and exploited.

One point that Daixin’s spokesperson emphasized was that while locking files, the team had avoided locking “XEN, RHEL – hosts of flying equipment (radars, air traffic control and such).” That statement is consistent with statements Daixin Team has made to DataBreaches in other incidents where they have stated their avoidance of encrypting or destroying anything if the result could be life-threatening.

Somewhat surprisingly, Daixin’s spokesperson stated that poor organization on AirAsia Group’s network spared the company further attacks. Although Daixin Team allegedly encrypted a lot of resources and deleted backups, they say that they did not really do as much as they normally might do:

The chaotic organization of the network, the absence of any standards, caused the irritation of the group and a complete unwillingness to repeat the attack.

… The group refused to pick through the garbage for a long time. As our pentester said, “Let the newcomers sort this trash, they have a lot of time.”

DataBreaches cannot think of any other incident this blogger has reported on where threat actors told this site that they actually balked at pursuing an attack because they were irritated by the organization of a network. DataBreaches asked Daixin’s spokesperson if they would confirm that AirAsia’s poor organization really spared the airline from more attacks. The spokesperson responded,

Yes, it helped them. The internal network was configured without any rules and as a result worked very poorly. It seemed that every new system administrator “built his shed next to the old building.” At the same time, the network protection was very, very weak.

Security by incompetence? Could it catch on?

In any event, Daixin informed DataBreaches that in addition to leaking the passenger and employee data on their dedicated leak site, the group plans to make information about the network — “including backdoors” —  available privately and freely on hacker forums. “The DAIXIN Team disclaims responsibility for future negative consequences,” they told DataBreaches.

DataBreaches sent email inquiries to AsiaGroup’s data protection officer on yesterday and again this morning, but no reply was received by publication.

Over the past few years, Malaysian entities have often been targets of cyberattacks, as the number of databases and leaks on hacking-related forums or a search of this site attests. AirAsia Group is not the only Malaysian air carrier to suffer a breach. Malaysia Airlines disclosed data security incidents in both 2020 and 2021.


As of January 2022, AirAsia Group became Capital A Berhad, operating as AirAsia. AirAsia is a Malaysian multinational low-cost airline, and the largest airline in Malaysia by fleet size and destinations.

Related posts:

  • AirAsia’s parent company told to supply documents; government probes Daixin ransomware attack
  • OakBend Medical Center hit by ransomware; Daixin Team claims responsibility
  • Another hospital hit by ransomware: Columbus Regional Healthcare System in North Carolina hit by Daixin
  • Exclusive: Daixin Team claims responsibility for attacks affecting Canadian hospitals, starts leaking data
Category: Breach IncidentsBusiness SectorCommentaries and AnalysesMalwareNon-U.S.

Post navigation

← No sign patient information leaked; Interdev platform for Canadian paramedic agencies taken offline
Pointer: SuspectFiles interviews Venus ransomware group →

3 thoughts on “AirAsia victim of ransomware attack, passenger and employee data acquired”

  1. FedFinder says:
    November 23, 2022 at 3:15 am

    This is a scathing indictment of AirAsia’s sysec protocols and they really need to assess their entire dev SOP.

  2. FedFinder says:
    November 23, 2022 at 3:16 am

    I hope this press spreads far and wide, if extortion won’t fix their SySec maybe public shaming would.

  3. malaysiaBoleh says:
    November 24, 2022 at 7:41 am

    Doing things half-assed in Malaysia is an institutional way of life here…

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.