South China Morning Post
Advertisement
Advertisement
Customers who were victims of the Cathay Pacific data breach were only informed of the accident in October, even though their data may have been vulnerable since March. Photo: Getty Images
Opinion
Kai-Lung Hui
Kai-Lung Hui

After Cathay Pacific’s debacle, companies must get proactive with cybersecurity and get customers involved

  • Kai-Lung Hui says that as more systems become interconnected, it grows more important for companies, their customers and employees to be aware of potential vulnerabilities. Protection is effective only if it is extended to all parties
Kai-Lung Hui
Kai-Lung Hui
Why you can trust SCMP
Data security and privacy have hit the headlines again. Cathay Pacific has suffered a massive data breach leading to the potential compromise of 9.4 million customers’ records. Earlier this year, British Airways disclosed that the payment card data of 244,000 customers had been compromised. Last week, it added another 185,000 to the total number affected.
Separately, fraud cases have occurred in the use of electronic direct debit authorisation (eDDA), a value-added service of the faster payment system (FPS) launched last month. eDDA is supposed to facilitate seamless direct debit payments such as account top-up. However, criminals have managed to use illicitly obtained Hong Kong ID card images and bank account numbers to wire money out of the victims’ accounts.

All of these security incidents highlight the weakness in our protection. Computer systems today are massively interconnected. Even if we have taken strong measures to protect our in-house systems storing sensitive customer data, we are still exposed to risks caused by our trading partners. According to unverified reports, the Cathay Pacific incident could have been caused by a mistake of its security consultant while conducting penetration tests. The British Airways incident could have happened because of the use of a faulty front-end programme from a third-party supplier in recording the payment card data.

Similarly, in the eDDA case, there was no problem on the payer side. The customers’ account and the banks’ systems are intact. The problem lies at the payee side, which allowed criminals to open an electronic wallet on behalf of the victim without due authentication. The criminals can then use the payer’s (that is, the victim’s) account to top up the “counterfeited” electronic wallet.

Cathay Pacific calls in the Hong Kong police to help investigate the massive data breach at the Cathay Pacific headquarters in Chek Lap Kok. The breach is rumoured to have taken place during penetration testing by a security consultant. Photo: Felix Wong
Cathay data breach: update law so leaks have to be reported promptly
Organisations should recognise two important facts in cybersecurity. First, by extending the scope and connecting with more parties in offering a service, we are exposed to extra risks because the systems have become interdependent. You may have installed a powerful firewall or encrypted all customers’ data, but a successful phishing attack against your contractors’ employees or a faulty JavaScript from your credit card payment processing company could render all of these efforts ineffective.

The only way to protect ourselves is to recognise these interdependent risks and take extra measures to address them. For example, we may downgrade the security privileges of our contractors’ access accounts, or conduct elaborate tests against all outsourced software utilities. We can never pre-empt a problem if we do not know the problem source.

Rush to regulate Southeast Asia’s digital economy could be its undoing

Second, and more importantly, we must recognise that the security of any electronic service depends on the joint effort of all parties involved in the transaction, including the customers. Hence, instead of hiding information about potential security breaches, we should tell our customers as early as possible so that they can take the necessary precautions at their own end.

In Cathay Pacific’s case, it was reported that the illegal access started in March, but the company disclosed it only last week, in October. Such a long delay gave too much time to the criminals to exploit the customer data by, for example, impersonating the customers to cheat their friends.

Watch: The declining fortunes of Cathay Pacific

Lesson from the Cathay breach: time to talk about data classification

In cybersecurity, Murphy’s Law – “whatever can go wrong will go wrong” – applies. We cannot simply be opportunistic, hoping no one will discover or exploit our vulnerabilities. Organisations must actively identify and patch all holes in their computer systems, and this includes inspecting the workflow and access from all parties in the entire supply chain and their customers.

We must also ensure that the right incentive system is in place for all parties to step up their security protection. I may not want to protect my access accounts or passwords if I know that the company will shoulder all security breach responsibility and compensate me. Such unclear or uneven liability distribution may explain why many security breach incidents start from some third-party suppliers or trading partners.

Kai-Lung Hui is a chair professor in the Hong Kong University of Science and Technology’s Business School. The views expressed here are his own 

This article appeared in the South China Morning Post print edition as: Everyone has a role to play in cybersecurity
Post