My Take | Cathay Pacific breach shows need for Hong Kong to land disclosure laws
- Airline knew as early as March about the possible leak of personal data of 9.4 million passengers, presumably hacked by cybercriminals, yet has only chosen to reveal it now
Imagine the government suffers a massive data breach affecting millions of, say, public hospital patients or taxpayers and then fails to disclose it for half a year. You can already hear the public outcry, and the people will be right to be upset.
That is the situation with Cathay Pacific and subsidiary Hong Kong Dragon Airlines. The personal data of 9.4 million passengers was leaked, presumably hacked by cybercriminals. The airlines first learned about a possible breach as early as March, yet only chose to disclose it now.
The massive breach targeted passengers’ names, nationalities, dates of birth, telephone numbers, emails, physical addresses, passport numbers, identity card numbers, frequent flier programme membership numbers, customer service remarks and travel history. Suppose Cathay leaked such personal data of its chief executive Rupert Hogg. Then its IT department didn’t tell him about it for months, how would Mr Hogg react?
You can presumably build a pretty detailed profile of someone when you know all these things about him. In a statement, the airline said suspicious activity was detected in March, but unauthorised access to the data was only confirmed in early May.
It took more than a month to determine whether there had been a breach, and on such a massive scale. No doubt the investigation was thorough, if more than a bit slow.