Cathay Pacific breach shows need for Hong Kong to land disclosure laws

  • Airline knew as early as March about the possible leak of personal data of 9.4 million passengers, presumably hacked by cybercriminals, yet has only chosen to reveal it now
PUBLISHED : Thursday, 25 October, 2018, 6:00pm
UPDATED : Friday, 26 October, 2018, 11:15am

Imagine the government suffers a massive data breach affecting millions of, say, public hospital patients or taxpayers and then fails to disclose it for half a year. You can already hear the public outcry, and the people will be right to be upset.

That is the situation with Cathay Pacific and subsidiary Hong Kong Dragon Airlines. The personal data of 9.4 million passengers was leaked, presumably hacked by cybercriminals. The airlines first learned about a possible breach as early as March, yet only chose to disclose it now.

The massive breach targeted passengers’ names, nationalities, dates of birth, telephone numbers, emails, physical addresses, passport numbers, identity card numbers, frequent flier programme membership numbers, customer service remarks and travel history. Suppose Cathay leaked such personal data of its chief executive Rupert Hogg. Then its IT department didn’t tell him about it for months, how would Mr Hogg react?

You can presumably build a pretty detailed profile of someone when you know all these things about him. In a statement, the airline said suspicious activity was detected in March, but unauthorised access to the data was only confirmed in early May.

Cathay Pacific took 7 months to alert police to massive data leak. Why?

It took more than a month to determine whether there had been a breach, and on such a massive scale. No doubt the investigation was thorough, if more than a bit slow.

If the breach was considered insignificant and non-threatening, why did Cathay disclose it now? But if it were significant, as it certainly looks that way, did the airline not have a duty of care to its millions of customers to disclose the problem at the first opportunity? A company statement said: “The company has no evidence that any personal information has been misused.”

How would the company know? The absence of evidence is not evidence of absence. Suppose a Cathay client was a victim of cybercrime yet didn’t know about the data breach, how could he possibly guess the two events might be connected? And the police wouldn’t know where to look even if he had reported it.

The Office of the Privacy Commissioner for Personal Data has promised a probe. But the aviation authorities should also investigate.

Sadly, unlike some overseas jurisdictions, Hong Kong doesn’t have laws requiring such disclosure to be timely. But given the prevalence of cybercrimes and data leaks, there is clearly an urgent need to introduce such laws to protect people’s private data.