Following data breach reports, what does AirAsia do with customer data?

• The Daixin Team collected the personal data of 5 million passengers and all employees.
• AirAsia has no intention of paying the ransom.

Cybersecurity breaches have risen in tandem with the number of organizations doing business online. It is worrying how frequently cybersecurity breaches occur in companies of all sizes. Given the recent high-profile data breaches that have affected the aviation, healthcare, finance, retail, government, industrial, and energy sectors, it is evident that the threat landscape has changed substantially over the past few years, putting users’ personal data at risk. Earlier this month, on November 11 and 12, a cybercriminal group called the Daixin Team launched a ransomware attack against the AirAsia Group.

The threat actors, who were the subject of a recent US Cybersecurity and Infrastructure Security Agency alert, reportedly alerted DataBreaches on November 19 that they had obtained the personal data of 5 million distinct passengers and all employees.

DataBreaches also reported that they received two .csv files from Daixin Team that were also given to AirAsia Group, one of which contained information on named passengers. The second file, on the other hand, had information about the employees, including names, dates of birth, places of birth, dates of employment, “secret question,” and its answer.

The spokesperson for Daixin said that AirAsia responded to the attack. They later entered the chat, requested an example of the data from Daixin’s negotiator, and then “asked in great detail how we would delete their data in case of payment.”

According to reports, AirAsia did not attempt to negotiate over the price, which could mean they never intended to pay anything. The spokesperson told DataBreaches that “usually everyone tries to negotiate a smaller amount.” DataBreaches is unaware of the sum that Daixin Team demanded in exchange for a decryption key, the deletion of all the data they had taken, and the disclosure to AirAsia Group of the vulnerabilities they had found and exploited.

The spokesperson for Daixin said that inadequate network management on the part of AirAsia Group saved the company from additional attacks. Daixin Team claims that, despite supposedly encrypting numerous resources and deleting backups, they did not act as aggressively as they typically might do.

The number of databases and leaks on hacking-related forums or a search on this site attests to the fact that Malaysian companies have been frequent targets of cyberattacks over the past few years. There have been breaches at other Malaysian airlines,too: during 2020 and 2021, Malaysia Airlines reported data security incidents.

How AirAsia uses its customers’ data?

AirAsia uses customer data for their loyalty program, embedded through the airasia super app, called airasia rewards. It is data-driven and uses information from transactional and non-transactional activity of its members, such as customer engagement. This includes commercial and non-commercial use cases. Coincidentally, a statement on how they make use of their data was released recently, following the news of the data breach.

Through their loyalty program, they have another method of collecting customer data: through user engagement activities like their in-app games found BIGGIE Wonderland. By playing these games, customers can earn airasia points daily.

“To engage the right audience, airasia rewards uses high-quality behavioral data and incorporates real-time hyper-personalization into its marketing strategy. By analyzing behavioral data, we will segment members based on their level of loyalty, which leads to conversions— truly moving the business forward,” the statement said.

Using high-quality data and machine learning (ML), AirAsia said it can develop a data-powered member journey that covers hyper-personalization, cross-line of business recommendation, accurate target marketing and nano influencer model.

The statement also noted that, “All marketing campaigns are executed towards the segmented target audience with personalized messaging through the following platforms to pique interest and purchasing activity, which eventually leads to retain loyalty among existing consumers.”

It’s interesting to see that, despite the company’s emphasis on how they use customer data and how they could benefit from it, there is no mention of how their consumers can feel secure and safe after their data is shared.

Of course, AirAsia does mention in their privacy policy that they, along with the AirAsia Group of Companies, promise to take all reasonable precautions to protect customers’ privacy.

However, customers will start questioning the company about the likelihood that these loyalty programs could one day result in a data leak of their personal information in light of the latest ransomware attack.

DataBreaches did write to AirAsia Group’s data protection officer with inquiries, but no response was received at the moment. AirAsia should address this matter publicly to avoid misunderstandings and guarantee the safety of its customers’ and employees’ data.

In the past, Tony Fernandes, who recently stepped down as group CEO of AirAsiaX to focus on returning AirAsia Group to profitability, has highlighted how the company prioritizes the security of their customers’ data, having in place numerous security features to avoid such problems.

---

---

---

---