Joint Press Release: The Governments Should Hold Lion Air Responsible over Recent Data Breach Affecting Millions Customers


For Immediate Release: 23/09/2019

Joint Press Release

The Governments Should Hold Lion Air Responsible over Recent Data Breach Affecting Millions Customers

DigitalReach and Southeast Asia Freedom of Expression Network (SAFEnet) urge the Thailand, Malaysia, and Indonesia governments to investigate the major data breach of millions of Lion Air customers. We demand PT Lion Mentari Airlines (Lion Air) and its subsidiaries to be held responsible for the public leak of their customers’ personal information. Lion Air must take immediate action to resolve this violation of customers’ data privacy and be transparent in the way they handle the incident.

Personal information of at least 35 million customers of Lion Air and its subsidiaries, including Thailand-based Thai Lion Air, Malaysia-based Malindo Air, and Indonesia-based Batik Air was leaked before being shared and sold online. This includes full names, birthdates, phone numbers, email addresses, passport numbers, passport expiration dates, and others details, some of which are sensitive information. Part of the information has been advertised for sale on the dark web. The cause of the breach is not yet publicly known.

While the leaked data does not include financial information, the advertisement for sale on the dark web and the possible use for further exploitation is severely reprehensible. The incident can have long-term effects on the affected customers if the company does not take proper actions and counter measures. Customers may be subject to identity theft and electronic fraud.

“A data breach usually has long-term effects on individuals. While customers may change their passwords, it is beyond their reach to control the leaked data. The Company must take responsibility for the breach and ensure that the incident is professionally taken care of, especially with respect to the safety of their customers.” said Sutawan Chanprasert, Coordinator of DigitalReach.

“The Governments of Thailand, Malaysia, and Indonesia should take serious action on this matter due to the its effects. This is not the first time a similar incident occurred. It should be the last.” said Damar Juniarto, Executive Director of SAFEnet.

As non-profit organizations that advocate for digital rights in Southeast Asia, DigitalReach and SAFEnet demand that:

  1. Lion Air and its subsidiaries thoroughly investigate the incident with the clear intent to protect the personal information of their Thorough investigations will allow the company to understand the cause of the data breach and reveal the flaws in its cybersecurity system, so that they can engage expert help to prevent recurrence. The results of the investigation should be publicly disclosed to ensure transparency on personal data protection.
  2. Lion Air and its subsidiaries must ensure the removal of the leaked data from the public platforms to which it was leaked. The leaked data must be removed from the publicly available platform as soon as possible. The company should also make a public announcement once complete removal is achieved.
  3. Lion Air and its subsidiaries should discuss possible remedies for the affected customers with experts. The company should understand that the effects of data breach can have long-term effects on the affected individuals as their data can be used in a range of criminal activities.
  4. Lion Air and its subsidiaries should disclose to public of how the company plans to prevent the incident from happening again In this case, we encourage the company to seriously take the efforts to secure its database and protect the personal information of their customers.

Southeast Asia does not have a unified regional personal data protection law with provisions to address intra-regional data protection. This creates a challenge when a data breach happens at the regional level. When different countries have different mechanisms to handle data protection, the treatment of affected individuals is unlikely to be consistent. This can lead to discrimination. This incident is a good example  that highlights regional inadeptness in dealing with data protection. 

In Southeast Asia, personal data protection laws only exist in some countries. However, there remain loopholes that raise concerns from a human rights perspective, particularly over protection from abuses of confidentiality. Data breaches that involve many countries usually have broad effects which make it worse for affected individuals living in countries without sufficient regulation. Such conditions make protecting the right to privacy of people in Southeast Asia highly challenging, creating greater risk for the abuse.

For more information, please contact:

DigitalReach: [email protected] (PGP Key: F31E8A1C9C19FA7)

SAFEnet : Damar Juniarto +628990066000

Download PDF version:  Joint Press Release on the Lion Air Data Breach

Latest Updates

December 8, 2020
Report Submitted to Special Rapporteur on the Right to Privacy on Digital Contact Tracing in Southeast Asia
Digital Contact Tracing in Southeast Asia The Summary Report Submitted to the United Nations Special Rapporteur on the Right to Privacy Prof. Joseph Cannataci  December 8, […]
November 6, 2019
Freedom of Expression versus Disinformation: Don’t Allow the Latter to Happen in the Name of the First
Mark Zuckerberg’s latest stance refusing to fact-check political ads on Facebook has drawn significant criticism, even his own employees. He said that his decision is to […]
December 4, 2020
Report Submitted to AICHR on Digital Contact Tracing in Southeast Asia
Digital Contact Tracing in Southeast Asia The Summary Report Submitted to ASEAN Intergovernmental Commission on Human Rights (AICHR) November 27, 2020 Following the COVID-19 global pandemic, […]