top of page

AirAsia Hack: What Happened and What We Can Learn From It

Updated: Apr 22, 2023

Data breaches have become a common occurrence in today's digital age, and the latest victim is AirAsia. Recently, the company announced that it had suffered a data breach that resulted in the theft of customer records. In this blog post, we will discuss the details of the AirAsia hack, the potential penalties, which obligations were breached, and the lessons that can be learned from this incident.

What Happened?

According to AirAsia, the data breach occurred in late May 2021, and the stolen data included customer names, birth dates, email addresses, and encrypted passwords. The company assured its customers that no financial information was stolen and that credit card details were not stored on its servers.

AirAsia also stated that it had taken immediate steps to secure its servers and that it was cooperating with relevant authorities in their investigations. However, the company did not disclose how many customers were affected by the data breach.

Potential Penalties?

Under Malaysia's Personal Data Protection Act (PDPA), companies that fail to protect their customers' personal data can face fines of up to RM 500,000 ($120,000) and/or imprisonment for up to three years. In addition to potential penalties under the PDPA, AirAsia could also face reputational damage, loss of customer trust, and legal action from affected customers.

Which Obligations were Breached?

AirAsia is obligated under Malaysia's PDPA to protect its customers' personal data. The PDPA requires companies to obtain consent from individuals before collecting, using, or disclosing their personal data. It also requires companies to protect personal data from unauthorized access, disclosure, or destruction.

The AirAsia hack breached the company's data privacy obligations under the PDPA by allowing unauthorized access to its customers' personal data. This breach not only put the affected customers at risk of fraud and identity theft but also damaged the reputation of AirAsia.

What We Can Learn from This?

The AirAsia hack highlights the importance of cybersecurity and the need for companies to take proactive measures to protect their customers' personal data. Companies should have robust data privacy policies and procedures in place to ensure that customer data is protected from unauthorized access or disclosure.

In addition, companies should provide regular training to their employees to educate them on data privacy and security best practices. Employees should be aware of the potential consequences of breaching customer data privacy and the importance of reporting any suspicious activities.

Furthermore, companies should conduct regular audits and assessments to ensure that their data privacy policies and procedures are being followed and are effective. These audits should include reviewing access controls, monitoring user activity, and assessing the effectiveness of the company's security measures.


The AirAsia hack is a reminder of the importance of data privacy and the severe consequences of data breaches. Companies have an obligation to protect their customers' personal data, and failure to do so can result in severe penalties and damage to their reputation.

The AirAsia hack is a wake-up call for companies to prioritize cybersecurity and data privacy. Companies should take proactive measures to protect their customers' personal data, including implementing robust data privacy policies and procedures, providing regular employee training, and conducting regular audits and assessments. By taking these measures, companies can avoid potential penalties and protect their customers' trust and reputation.



Disclaimer: The information provided on all our blog post is intended for general informational purposes only and does not constitute legal advice. The author and publisher are not liable for any damages or losses resulting from reliance on this information. It is recommended to consult with a legal professional for specific advice regarding PDPA compliance and other related data privacy obligations.

bottom of page