AirAsia Confirms Cyberattack Incident Without Addressing The Leakage Of Stolen Personal Data

Four days after our initial report, AirAsia finally admitted that it was hit by a cyberattack. The revelation took place through a rather short statement that Capital A has filed on Bursa Malaysia.

For those who missed the story, the Daixin ransomware group claimed that it attacked the AirAsia network on 11 and 12 November. Through the attack, the group said that it was able to obtain a set of data that contains five million customers as well as all of AirAsia’s employees.

In an interview with DataBreaches.net, Daixin’s spokesperson noted that AirAsia’s network was actually so disorganized to the extent that the group felt discouraged to perform further attacks. Nevertheless, the group also said that the company’s network protection was very weak.

We reached out to AirAsia on 21 November to obtain further clarification but didn’t receive any reply until today when an AirAsia representative reached out and pointed to us to a statement on Bursa Malaysia’s website. However, the statement did not make any reference to our story.

Instead, it referred to the reports by The Edge Markets and The Star that were just published yesterday. Nevertheless, the contents of both stories as well as their sources were similar to our article that was published last Sunday.

Here is a full reproduction of the statement that Capital A has submitted to Bursa:

Capital A Berhad (Formerly Known As AirAsia Group Berhad) (“The Company”) Clarification On News Articles Features In The Edge Markets And The Star On 23 November 2022

We refer to the following news articles entitled:

1. “AirAsia hit by ransomware attack, five million passenger and employee data compromised” featured in The Edge Markets on 23 November 2022; and
2. “AirAsia allegedly hit with ransomware attack, data of five million passengers and employees reportedly compromised” featured in The Star on 23 November 2022.

The Company wishes to clarify that the cyber attack was on redundant systems and did not affect our critical systems. The Company had taken all measures to immediately resolve this data incident and prevent such future incidents.

There had been no operational or financial impact to the Company arising from this.

This announcement is dated 24 November 2022.

As you can clearly see in the statement, Capital A admitted that the attack happened but stopped short of disclosing whether millions of personal data have really been stolen by Daixin during the incident.

We are now attempting to obtain additional clarification from Capital A regarding this. At the same time, we are also reaching out to the Department of Personal Data Protection for their take on this incident since Capital A seemed to be reluctant on disclosing the status of the personal data that was hit by the ransomware incident.