I’d be interested to see what security controls were in place to detect rogue activity. Remembering the GDPR distinction between ‘Data Owner’ and ‘Data Processor’; irrespective of who actually stole the data, it’s the airline that is responsible…:
[…] The two former employees were based at GoQuo’s development centre in India and “improperly accessed and stole” personal data of the airlines’ customers, said Malindo Air in the latest of a series of statements regarding the breach. The carrier said it had reported the incident to the police in Malaysia as well as India.
Stressing that all its systems were “fully secured”, it further noted that the data leak had been “contained” and reiterated that no payment details were compromised in the breach. It also initiated an auto-rest of all its customers’ passwords.
Personal data compromised in the breach included the passenger’s date of birth, passport number, and mobile number.
Malindo Air said the incident was “not related” to the security of its data infrastructure or that of its cloud provider, Amazon Web Services (AWS).