For those who haven’t flown with Cathay Pacific, it really is a pleasant enough airline which is well known for its customer service. I have been fortunate enough to travel to Hong Kong on several occasions for business and used Cathay Pacific as my airline of choice – one that I may yet regret.
On Wednesday 24th October 2018, Cathay Pacific announced it had discovered a data breach affecting passenger data of up to 9.4 million people, after an IT system had been compromised for as long as 7 months (at least). The stolen data included phone numbers, email addresses, addresses, dates of birth, passport and government ID numbers, as well as information on passengers’ past travels. Furthermore, the airline disclosed that 27 credit card numbers (but not the corresponding CVV) had been taken, along with 403 expired credit card numbers. It added, no passwords were compromised and the Hong Kong Police, as well as other relevant authorities, have been notified of the breach. Now, I do not believe I have been affected by the breach, however, the fact remains I no longer trust Cathay Pacific with my data, making me reluctant to use the airline on any future trips. Some of you might be saying, yes but that’s your opinion (and true it is) but Cathay Pacific’s share price was down 5.1% by midday Thursday (HKT), illustrating that I am not the only one who has lost trust in Cathay Pacific.
According to the airline, the breach was discovered during one of its “ongoing security processes” when it discovered “suspicious activity” on its network in March 2018, but only identified unauthorized access to personal data in May. The airline was quick to reassure passengers the IT systems compromised were separate from its flight operations systems, meaning there was no impact to flight safety at any time. Cathay Pacific CEO, Rupert Hogg, released a statement in which he apologized for any concern caused by the breach, that the airline acted immediately to contain the event and it has been working with a leading cybersecurity firm to strengthen Cathay Pacific’s IT security measures. When asked about why it took so long for Cathay Pacific to disclose the breach, the airline declined to comment. This reassures me that the protection of my data is a top priority at Cathay … NOT !!!
Stephen Kai-Yi Wong, Hong Kong’s Privacy Commissioner, expressed “serious concern” over the lapse and has since urged firms to bolster their protection of personal data. He further added, his office would be conducting a thorough compliance check of the airline. For those not aware, the Office of the Privacy Commissioner for Personal Data is responsible for enforcing the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong). If a data user (Cathay Pacific) is found to have breached the Data Protection Principles of the Ordinance, the Commissioner may issue an enforcement notice to rectify the contravention, failure to do so constitutes a criminal offense resulting in fines (Max fine: HK$1 Million) and several years’ imprisonment (Max sentence: 5 years). The general process usually includes the Commissioner conducting an initial investigation, and if he/she finds sufficient evidence to conclude an offence has been committed, raises the matter with the Hong Kong Police for prosecution. I am not implying Cathay Pacific has committed an offense, only that it is yet to be determined.
Some may be asking why Cathay Pacific and British Airways (BA), two airlines, disclosed their breaches in different manners? Firstly, the extent of BA’s breach was a lot smaller at 380 000 people. Second, BA were required under GDPR to disclose the breach and notify all affected individuals within 72 hours of becoming aware, whereas Cathay don’t necessarily need to comply with GDPR unless the breach included EU citizen data (bit of a grey area). Regardless, the same lesson can be drawn from both breaches (or any recent breach – there are too many!) – more can be done to protect personal information!
How you may ask? Imagine protecting data beyond encryption, as it is becoming rapidly outdated and easier to break each day. Imagine protecting each individual data attribute separately, giving you more control over your data. Imagine pseudonymizing data to protect it in all states of being, so that if the data is taken it has no value. Imagine a world where the data determines when and by whom it can be seen. Imagine, Exate Technology.