• United States




Were stolen passports allowed on MH370?

Mar 08, 20144 mins
Investigation and Forensics

Late Friday evening my wife shared with me the news that Malaysian Airlines flight MH370 had gone missing. I got quiet. This was the very same airline and route that I took from to Kuala Lumpur to Beijing a few months ago after attending the HITB conference.

I thought of the crew that I had met on that flight and I wondered if they were lost. Then of all the people on the flight who may have just perished some where over the ocean. A terrible thought. 

The plane left Kuala Lumpur and not long into the flight it vanished from radar without so much as a mayday call it seems. I hate to think as to what actually happened. At the time of this post being published there were far more questions than there are answers. 

Something decidedly odd stuck out in the articles I read. It seems that there was two people on the plane that were flying with stolen passports. One I would chalk up to coincidence. But, two? My alarm bells started to sound. 

From Reuters:

The passenger list provided by the airline includes Luigi Maraldi, 37, an Italian citizen. Newspaper Corriere Della Sera reported that Maraldi’s passport was stolen in Thailand last August. The Italian Interior Ministry was unable to immediately comment on the report.


In Vienna, the Austrian foreign ministry said an Austrian listed among the passengers was safe and had reported his passport stolen two years ago while he was travelling in Thailand.

Two passports stolen while people were on travel in Thailand? Both found their way on to the same flight that disappeared under mysterious circumstances? I don’t like the feeling I’m getting in the pit of my stomach. 

In the last year I traveled to 5 different countries in Asia. During those trips I witnessed some curious lapses in physical security. I would have thought that something like a stolen passport would be flagged in a system. Then, I remembered in one particular country where the customs officers had no computer terminal. They never looked up when they were reviewing my passport. Never said a word to me. They just stamped my passport and I was on my way.


Did nefarious types exploit these lapses? How is that passports that were apparently reported as being stolen didn’t set off any alerts? How were these two characters, if this in fact the root of the issue, get through security? The code share for this flight, China Southern had sold 7 tickets for this flight. Two of which were sold to the people with the stolen identification. The Beijing correspondent for the Daily Telegraph, Malcolm Moore, wrote this,

China Southern says it sold seven tickets for MH370, including the two to the stolen passport holders. Not sure if that’s significant.

— malcolmmoore (@MalcolmMoore) March 8, 2014

I have trouble believing in coincidence. 

Who were the other 5 passengers from that block of tickets? If this was a case of terrorism where is the claim by the affiliated group? Maybe this is just pure chance. Was the passenger list incorrect? This may just turn out to be a result of the fog of confusion surrounding the incident as it is still unfolding. Or this was a complete break down in physical security. Time will tell.

My thoughts go out to the families affected by this tragedy. 

[UPDATE]: Confirmed. No one checked to see if the passports were even valid. 


No checks of the stolen Austrian and Italian passports were made by any country between the time they were entered into INTERPOL’s database and the departure of flight MH 370. At this time, INTERPOL is therefore unable to determine on how many other occasions these passports were used to board flights or cross borders.

Keep in mind that one of these passports was stolen two years ago. 

(Image used under CC from Phinalanji)


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author