Joint Press Release
The Governments Should Hold Lion Air Responsible over Recent Data Breach Affecting Millions Customers
DigitalReach and Southeast Asia Freedom of Expression Network (SAFEnet) urge the Thailand, Malaysia, and Indonesia governments to investigate the major data breach of millions of Lion Air customers. We demand PT Lion Mentari Airlines (Lion Air) and its subsidiaries to be held responsible for the public leak of their customers’ personal information. Lion Air must take immediate action to resolve this violation of customers’ data privacy and be transparent in the way they handle the incident.
Personal information of at least 35 million customers of Lion Air and its subsidiaries, including Thailand-based Thai Lion Air, Malaysia-based Malindo Air, and Indonesia-based Batik Air was leaked before being shared and sold online. This includes full names, birthdates, phone numbers, email addresses, passport numbers, passport expiration dates, and others details, some of which are sensitive information. Part of the information has been advertised for sale on the dark web. The cause of the breach is not yet publicly known.
While the leaked data does not include financial information, the advertisement for sale on the dark web and the possible use for further exploitation is severely reprehensible. The incident can have long-term effects on the affected customers if the company does not take proper actions and counter measures. Customers may be subject to identity theft and electronic fraud.
“A data breach usually has long-term effects on individuals. While customers may change their passwords, it is beyond their reach to control the leaked data. The Company must take responsibility for the breach and ensure that the incident is professionally taken care of, especially with respect to the safety of their customers.” said Sutawan Chanprasert, Coordinator of DigitalReach.
“The Governments of Thailand, Malaysia, and Indonesia should take serious action on this matter due to the its effects. This is not the first time a similar incident occurred. It should be the last.” said Damar Juniarto, Executive Director of SAFEnet
As non-profit organizations that advocate for digital rights
in Southeast Asia, DigitalReach and SAFEnet demand that:
- Lion Air and its subsidiaries thoroughly investigate the incident with the clear intent to protect the personal information of their customers. Thorough investigations will allow the company to understand the cause of the data breach and reveal the flaws in its cybersecurity system, so that they can engage expert help to prevent recurrence. The results of the investigation should be publicly disclosed to ensure transparency on personal data protection.
- Lion Air and its subsidiaries must ensure the removal of the leaked data from the public platforms to which it was leaked. The leaked data must be removed from the publicly available platform as soon as possible. The company should also make a public announcement once complete removal is achieved.
- Lion Air and its subsidiaries should discuss possible remedies for the affected customers with experts. The company should understand that the effects of data breach can have long-term effects on the affected individuals as their data can be used in a range of criminal activities.
- Lion Air and its subsidiaries should disclose to public of how the company plans to prevent the incident from happening again. In this case, we encourage the company to seriously take the efforts to secure its database and protect the personal information of their customers.
Southeast Asia does not have a unified regional personal data protection law with provisions to address intra-regional data protection. This creates a challenge when a data breach happens at the regional level. When different countries have different mechanisms to handle data protection, the treatment of affected individuals is unlikely to be consistent. This can lead to discrimination. This incident is a good example that highlights regional inadeptness in dealing with data protection.
In Southeast Asia, personal data protection laws only exist in some countries. However, there remain loopholes that raise concerns from a human rights perspective, particularly over protection from abuses of confidentiality. Data breaches that involve many countries usually have broad effects which make it worse for affected individuals living in countries without sufficient regulation. Such conditions make protecting the right to privacy of people in Southeast Asia highly challenging, creating greater risk for the abuse.