Tens of millions of records from customers of two airline companies owned by Lion Air have been circulating on data exchange forums for at least a month. The info was stored in an Amazon bucket that was open on the web.

The records are present in two databases, one with 21 million records, the other with 14 million entries, in a directory holding backup files created in May 2019 mostly for Malindo Air and Thai Lion Air.

Another backup file has Batik Air in its name, an airline whose parent organization is also Lion Air.

Sensitive personal information exposed

Leaked details include passenger and reservation IDs, physical addresses, phone numbers, email addresses, names, dates of birth, phone numbers, passport numbers, and passport expiration dates.

BleepingComputer could not find an announcement from Lion Air or its subsidiary airlines about a data exposure incident.

Researcher Under the Breach published samples of the two databases, making sure to mask the personal details of the passengers 

Data circulating for at least a month

It is unclear when the data was first accessed, but one user that collects sensitive information from various data exchange forums published on their website the link to the open AWS bucket on August 10.

Spectre told BleepingComputer that dumping of the two databases on multiple forums began after they published the AWS bucket URL.

On August 12, someone offered them on a relatively known data exchange community and some time later the bucket got secured.

Two databases from the cloud storage are still in circulation, though, available upon request. BleepingComputer saw the index of the open directory and noticed that backup files, the most recent from May 25, named 'PaymentGateway.'

Additional backup names included references to the company's loyalty reward program and the online booking service GoQuo that also provides customer analytics solutions.

BleepingComputer did not get access to the content of the backup files but the names of the entries alone suggest that highly sensitive information was exposed and is accessible to unauthorized individuals.

The mix of personal data that has already been converted to clear text qualifies as a privacy risk to their owners and has a high probability of being used by threat actors for financial gain.

Related Articles:

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

Microsoft to shut down 50 cloud services for Russian businesses

Misconfigured Firebase instances leaked 19 million plaintext passwords

200,000 Facebook Marketplace user records leaked on hacking forum

AT&T says leaked data of 70 million people is not from its systems