AirAsia ransomware attack (Daixin Team)

In November 2022, the low-cost carrier AirAsia — operated by Malaysia-based Capital A Berhad — was struck by the Daixin Team ransomware gang, which claimed to have stolen the personal data of roughly 5 million unique passengers and all of the airline's employees.

What happened

According to Daixin Team, the group breached AirAsia's network over 11–12 November 2022. The attackers said they exfiltrated two large data sets before locking access to staff and passenger records. On 19 November, the breach surfaced publicly through DataBreaches.Net, and on 21 November Daixin published sample files as proof.

Daixin Team is a financially-motivated ransomware-and-extortion group that the U.S. CISA and FBI had warned about earlier in 2022 for targeting the healthcare sector. The gang told reporters it avoided encrypting flight-equipment systems to prevent any life-threatening disruption, but fully locked out access to administrative records until payment.

Data exposed

Passenger records (~5 million): passenger ID, full name (first, middle, last), booking ID, and total ticket cost.
Employee records: name, date of birth, country of birth, work location, employment start date, and — notably — each employee's secret security question, the answer, and the password salt.

The exposure of security questions and answers was especially sensitive, as it could facilitate account-takeover and social-engineering attacks against staff.

Attacker commentary

In an unusually candid exchange, Daixin members criticised AirAsia's security posture, describing "the chaotic organisation of the network" and saying the sprawling, poorly-segmented internal infrastructure discouraged them from pursuing deeper attacks. They claimed AirAsia made no attempt to negotiate the ransom and showed no intention of paying.

Impact and response

AirAsia did not pay any ransom, and the stolen data was leaked. The Malaysian Personal Data Protection Department (JPDP), under the Ministry of Communications and Multimedia, opened an investigation into whether the carrier had breached the Personal Data Protection Act 2010. The incident drew criticism for the apparent weakness of AirAsia's network segmentation and credential-protection practices.

Why it matters

The AirAsia breach is a landmark Malaysian incident for two reasons. First, it exposed identity-grade data on millions of travellers and the entire workforce of one of Asia's largest budget airlines. Second, the attackers' public description of a "chaotic" network underscored a recurring theme in the region's major breaches: rich, centralised personal data stored on inadequately segmented and monitored systems. It reinforced the case for stronger breach-notification enforcement and aviation-sector cybersecurity standards across Southeast Asia.

Timeline

November 11, 2022

Daixin Team breaches AirAsia's network and begins exfiltrating passenger and employee data.

November 12, 2022

The intrusion continues across a two-day window; the group claims it locked staff and passenger records.

November 19, 2022

DataBreaches.Net reports that Daixin Team has acquired data on 5 million passengers and all AirAsia employees.

November 21, 2022

Daixin publishes sample data, claiming AirAsia did not negotiate and had no intention of paying.

November 23, 2022

Malaysian media report the breach; the Personal Data Protection Department (JPDP) opens an investigation.

Sources

thehackernews.comhttps://thehackernews.com/2022/11/daixin-ransomware-gang-steals-5-million.html

techmonitor.aihttps://www.techmonitor.ai/cybersecurity/airasia-ransomware-daixin-team/

thestar.com.myhttps://www.thestar.com.my/tech/tech-news/2022/11/23/airasia-allegedly-hit-with-ransomware-attack-data-of-five-million-passengers-and-employees-reportedly-compromised

databreaches.nethttps://databreaches.net/2022/11/19/airasia-victim-of-ransomware-attack-passenger-and-employee-data-acquired/

lowyat.nethttps://www.lowyat.net/2022/289084/daixin-airasia-hack-databreach/

Related incidents

RansomwareResolvedMarch 20, 2022

Hellenic Post (ELTA) ransomware attack

A ransomware attack attributed to the Vice Society gang paralysed Greece's national postal operator ELTA for roughly eight days, halting financial services and pension payments, with data later leaked and a €2.99 million GDPR fine in 2024.

Victim: Hellenic Post (ELTA)
Loss: $3.2M

RansomwareOngoingFebruary 24, 2026

Leak at the Civil Aviation Safety Organisation

In February 2026 the LAPSUS$ extortion group claimed the theft of about 420 GB of data from France's Civil Aviation Safety Organisation (OSAC), including ID cards, passports, diplomas, proof-of-address documents and internal files; the data was later leaked in full.

Victim: Civil Aviation Safety Organisation

RansomwareOngoingFebruary 7, 2026

Claimed data leak at Voyages Robin

In early February 2026, the Qilin ransomware group listed French coach-travel operator Voyages Robin on its dark-web leak site, claiming to have stolen customer booking details, travel itineraries and financial records.

Victim: Voyages Robin

RansomwareContainedAugust 31, 2025

Jaguar Land Rover global production halt (Scattered Lapsus$ Hunters, 2025)

A cyberattack on Britain's biggest carmaker forced JLR to shut down its global IT network and halted vehicle production in the UK, China, Slovakia, India, and Brazil for five weeks — now considered the most economically damaging cyber incident in UK history.

Victim: Jaguar Land Rover
Loss: $2.40B