Opinion | The fact Cathay Pacific does not have to notify anyone of a data breach is unacceptable. The law must change

Stuart Hargreaves says it is inexcusable that Cathay took months to announce a security breach affecting millions. It’s about time Hong Kong updated its law

The government should enact an EU-style system, which requires that authorities are notified of any breach within 72 hours of it being discovered.

Reading Time:3 minutes

Cathay Pacific took more than six months to come clean about a computer security breach affecting 9.4 million passengers. But under Hong Kong law, the airline does not even need to notify the authorities of a data breach. Photo: AFP

Published: 12:00pm, 26 Oct 2018Updated: 7:18pm, 26 Oct 2018

On October 24, Cathay Pacific revealed that it had suffered a computer security breach, exposing 9.4 million passenger records. Although the information varied from customer to customer, the breach apparently involved names, dates of birth, addresses, passport information, identity card numbers, expired credit card numbers, travel histories and customer service records.

Perhaps more staggering than the scope of the incident is the fact that it took place in March, more than six months ago. Even now, some individuals might not have been informed if they are among the affected passengers – the airline said it would contact customers over the next few days.

The leaked information could be put to malicious use. The most obvious consequences could be identity theft and fraud, or criminal attempts to open new accounts and credit cards. To prevent such misuse, Cathay said it was offering “ID monitoring services” to help ascertain whether customers’ personal information had been shared online.

But this is far from foolproof: several years ago, the CEO of a similar service known as Lifelock publicly advertised his social insurance number as a guarantee that his company could prevent identity theft in the event of a data leak. He subsequently had his identity stolen at least 13 times.

But the harm to Cathay Pacific’s customers could go far beyond identity theft. The leak of individual travel records is a gross violation of privacy that no kind of ID monitoring can remedy. Information about where we go, when and with whom can reveal an awful lot about our lives.

The declining fortunes of Cathay Pacific

Select Voice

Choose your listening speed

Get through articles 2x faster

1.25x

250 WPM

Slow

Average

Fast

00:0000:00

1.25x