John Bunyan reports:
The Ministry of Communications and Digital has ordered Capital A, the parent of AirAsia, to submit supporting documents and data for the investigation into the breach of the airline’s networks that exposed the personal information of millions of passengers and staff.
Communications and Digital Minister Fahmi Fadzil said the security breach affecting AirAsia customers and employees in three countries including Malaysia was being treated seriously.
Read more at MalayMail.
As regular readers of DataBreaches will remember, Daixin Team had claimed responsibility for that attack. In an email exchange with DataBreaches, they claimed they had attacked AirAsia on November 11 and 12. In addition to locking their files and servers and deleting their backups, they had reportedly exfiltrated data on 5 million passengers and employees. Those data were subsequently dumped on Daixin’s dedicated leak site.
AirAsia had never responded to DataBreaches’ inquiries, but The Star reported AirAsia’s statement that “the cyberattack was on redundant systems and did not affect our critical systems.” AirAsia also stated it had “taken all measures to immediately resolve this data incident and prevent such future incidents.”
The reason critical systems were not affected may have had something to do with what Daixin told DataBreaches prior to any publication about the breach — that they had intentionally and carefully avoided locking “XEN, RHEL – hosts of flying equipment (radars, air traffic control and such).” Were critical systems spared by good security, luck, or just the grace of Daixin? The government’s investigation will hopefully consider that to determine if the attackers could have impacted critical systems.
But perhaps the most striking part of the email exchange between Daixin and DataBreaches was Daixin’s commentary about AirAsia’s network security. They described it as so disorganized and chaotic that Daixin members balked at attacking the airline or continuing the attack:
The chaotic organization of the network, the absence of any standards, caused the irritation of the group and a complete unwillingness to repeat the attack.
… The group refused to pick through the garbage for a long time. As our pentester said, “Let the newcomers sort this trash, they have a lot of time.”
When DataBreaches asked whether AirAsia’s reportedly chaotic security had perhaps prevented further attacks and damage, Daixin agreed:
Yes, it helped them. The internal network was configured without any rules and as a result worked very poorly. It seemed that every new system administrator “built his shed next to the old building.” At the same time, the network protection was very, very weak.
In addition to what Daixin has already claimed to have done, Daixin shared with DataBreaches their intended plans for AirAsia. In light of the Malaysian government’s investigation into the incident, DataBreaches has reached out to Daixin to ask whether they ever took other actions that they had indicated they would be taking such as making the “information about the network — ‘including backdoors’ — available privately and freely on hacker forums.”
No reply was immediately available, but DataBreaches will update this post if a response is received.