Cathay Pacific should have reported leaks of passengers’ data sooner than it did
- Hong Kong’s privacy commission is right to criticise the company for the delay and the government should look at bringing in disclosure laws
Having your personal details stolen is bad enough, even more so when the data is held by someone you think you can trust. Worse, you have been kept in the dark for months until you learn from the media late at night that you and 9 million others are in the same plight. That explains why an avalanche of criticism has landed on Cathay Pacific as soon as the city’s worse data leak came to light.
It remains to be seen whether customers have suffered any financial loss as a result. But with as many as 9.4 million people affected worldwide, the risk is huge. The Hong Kong carrier said the compromised data included passengers’ names, nationalities, dates of birth, telephone numbers, emails, physical addresses, passport numbers, identity card numbers, frequent flier memberships, customer service remarks and travel history. A total of 403 expired credit card numbers and 27 credit card numbers with no verification number (CVV) were accessed, along with some 860,000 passport numbers and 245,000 Hong Kong identity card numbers, according to a statement issued shortly before midnight on Wednesday.
The public may be excused for having the impression the firm is trying to cover up. Suspicious activities were detected as early as March when abnormal data migration between different systems was found during a regular server check. An investigation confirmed in May that there was unauthorised data access. What has left people wondering is an apparent seven-month delay in reporting the case to the authorities and alerting victims. A Cathay executive yesterday denied a cover-up, saying it did not want to cause “unnecessary public panic”. Be that as it may, the delay has prolonged the risk of customers incurring further damage. They could have taken precautionary steps had they been told immediately.
The privacy commission was right in criticising the company for the delay. Although there is no legal requirement for such reports, the airline has a moral responsibility to notify the affected as soon as possible. Under the European Union’s new General Data Protection Regulation, breaches are to be reported within 72 hours, with non-compliance liable to a fine equivalent to 4 per cent of a company’s annual revenue. Understandably, legislative amendments take time, but there is every reason for the watchdog and the government to consider moving in such a direction.
This is the second serious data leak in six months, after details of 380,000 customers of the city’s second largest fixed-line residential broadband company was hacked. The incidents show that no companies are immune from cybercrime. It’s regrettable that due diligence is still lacking among those have the legal duty to protect personal data.