Malindo Air confirmed the breach after cybersecurity firm Kaspersky alerted users in Malaysia, Thailand.

Malindo Air, the Malaysian subsidiary of Indonesia's Lion Group, said on Monday that two former employees of its e-commerce contractor were responsible for its passenger data breach.

Malindo Air confirmed the breach last week after Moscow-based cybersecurity firm Kaspersky alerted users in Malaysia and Thailand.

Kaspersky told Reuters in an email it had sent out an alert on Sept. 13, two days after the data breach was made public.

Kaspersky said in its alert that the personal details of almost 46 million passengers of Malindo and Thai Lion Air, another Lion Group subsidiary, were posted online. Kaspersky said parts of the leaked databases were offered for sale.

Malindo Air said in a statement that two former employees of e-commerce services provider GoQuo (M) Sdn Bhd in their development centre in India "improperly accessed and stole the personal data of our customers".

Reuters could not immediately reach GoQuo for comment. Phone numbers for GoQuo's offices in India and Malaysia listed on the company's website did not go through. Malindo did not name the two former GoQuo employees.

The airline said the data breach had been contained and the matter has been reported to the police in Malaysia and India.

Malindo Air also said the breach was not related to the security of cloud service provider Amazon Web Services' data architecture, and none of the payment details of customers were compromised.