After Cathay Pacific’s debacle, companies must get proactive with cybersecurity and get customers involved
- Kai-Lung Hui says that as more systems become interconnected, it grows more important for companies, their customers and employees to be aware of potential vulnerabilities. Protection is effective only if it is extended to all parties
Data security and privacy have hit the headlines again. Cathay Pacific has suffered a massive data breach leading to the potential compromise of 9.4 million customers’ records. Earlier this year, British Airways disclosed that the payment card data of 244,000 customers had been compromised. Last week, it added another 185,000 to the total number affected.
Separately, fraud cases have occurred in the use of electronic direct debit authorisation (eDDA), a value-added service of the faster payment system (FPS) launched last month. eDDA is supposed to facilitate seamless direct debit payments such as account top-up. However, criminals have managed to use illicitly obtained Hong Kong ID card images and bank account numbers to wire money out of the victims’ accounts.
All of these security incidents highlight the weakness in our protection. Computer systems today are massively interconnected. Even if we have taken strong measures to protect our in-house systems storing sensitive customer data, we are still exposed to risks caused by our trading partners. According to unverified reports, the Cathay Pacific incident could have been caused by a mistake of its security consultant while conducting penetration tests. The British Airways incident could have happened because of the use of a faulty front-end programme from a third-party supplier in recording the payment card data.
Similarly, in the eDDA case, there was no problem on the payer side. The customers’ account and the banks’ systems are intact. The problem lies at the payee side, which allowed criminals to open an electronic wallet on behalf of the victim without due authentication. The criminals can then use the payer’s (that is, the victim’s) account to top up the “counterfeited” electronic wallet.
The only way to protect ourselves is to recognise these interdependent risks and take extra measures to address them. For example, we may downgrade the security privileges of our contractors’ access accounts, or conduct elaborate tests against all outsourced software utilities. We can never pre-empt a problem if we do not know the problem source.
Second, and more importantly, we must recognise that the security of any electronic service depends on the joint effort of all parties involved in the transaction, including the customers. Hence, instead of hiding information about potential security breaches, we should tell our customers as early as possible so that they can take the necessary precautions at their own end.
In Cathay Pacific’s case, it was reported that the illegal access started in March, but the company disclosed it only last week, in October. Such a long delay gave too much time to the criminals to exploit the customer data by, for example, impersonating the customers to cheat their friends.
Watch: The declining fortunes of Cathay Pacific
In cybersecurity, Murphy’s Law – “whatever can go wrong will go wrong” – applies. We cannot simply be opportunistic, hoping no one will discover or exploit our vulnerabilities. Organisations must actively identify and patch all holes in their computer systems, and this includes inspecting the workflow and access from all parties in the entire supply chain and their customers.
We must also ensure that the right incentive system is in place for all parties to step up their security protection. I may not want to protect my access accounts or passwords if I know that the company will shoulder all security breach responsibility and compensate me. Such unclear or uneven liability distribution may explain why many security breach incidents start from some third-party suppliers or trading partners.
Kai-Lung Hui is a chair professor in the Hong Kong University of Science and Technology’s Business School. The views expressed here are his own