Tens of millions of records from customers of two airline companies owned by Lion Air have been circulating on data exchange forums for at least a month. The info was stored in an Amazon bucket that was open on the web.

The records are present in two databases, one with 21 million records, the other with 14 million entries, in a directory holding backup files created in May 2019 mostly for Malindo Air and Thai Lion Air.

Another backup file has Batik Air in its name, an airline whose parent organization is also Lion Air.

Sensitive personal information exposed

Leaked details include passenger and reservation IDs, physical addresses, phone numbers, email addresses, names, dates of birth, phone numbers, passport numbers, and passport expiration dates.

BleepingComputer could not find an announcement from Lion Air or its subsidiary airlines about a data exposure incident.

Researcher Under the Breach published samples of the two databases, making sure to mask the personal details of the passengers

Second database has 14 million records which include the name, date of birth, phone number, passport number and passport expiration date.



researchers, contact us for more details. pic.twitter.com/KIsTxhda7e — Under the Breach (@underthebreach) September 11, 2019

Data circulating for at least a month

It is unclear when the data was first accessed, but one user that collects sensitive information from various data exchange forums published on their website the link to the open AWS bucket on August 10.

Spectre told BleepingComputer that dumping of the two databases on multiple forums began after they published the AWS bucket URL.

On August 12, someone offered them on a relatively known data exchange community and some time later the bucket got secured.

Two databases from the cloud storage are still in circulation, though, available upon request. BleepingComputer saw the index of the open directory and noticed that backup files, the most recent from May 25, named 'PaymentGateway.'

Additional backup names included references to the company's loyalty reward program and the online booking service GoQuo that also provides customer analytics solutions.

BleepingComputer did not get access to the content of the backup files but the names of the entries alone suggest that highly sensitive information was exposed and is accessible to unauthorized individuals.

The mix of personal data that has already been converted to clear text qualifies as a privacy risk to their owners and has a high probability of being used by threat actors for financial gain.