Why Cathay Pacific’s handling of its data breach deserves praise – honesty is better than silence
- Richard Harris says the aviation giant is just one of a long list of companies preyed on by hackers but it responded with greater thoroughness and transparency
- With data breaches having become the norm, making sure that leaked information is not used illegally or immorally is a collective responsibility
The recent loss of data of 9.4 million customers of Cathay Pacific Airways has been greeted by a great deal of self-important, self-righteous, know-it-all indignation. The usual posse of lawyers are actively pursuing their 2018 bonus on the back of potential clients who, if they think their data wasn’t already in the public domain, are either naive, chancers or both.
I do not have to act as an apologist for Cathay Pacific; goodness knows, I have paid enough money to them over the years. But look at the evidence. Your personal data is highly available – look down, your mobile number is already a global identity card.
There is a huge amount of data collected unnecessarily and for trivial reasons. By allowing Google access to your location to find you a nearby restaurant, you send your valuable location data to servers worldwide.
I went to a conference last week whose attendees were mostly much younger than I. Call me old-fashioned, but I expected in the traditional way to be able to buy a ticket at the door as well as on the internet. It took 20 minutes – of nearing the limit of my will to live – for the helpful ticket seller to insert my title, name, address, telephone number, credit card details, and inside leg measurement into the machine, checking each item with inscrutable thoroughness. I have no idea why they needed so much information but I impatiently surrendered. Could I have said no?
Cathay’s delay of seven months in revealing the loss seems excessive. Then again, within hours I received an email stating that my name, Hong Kong ID, nationality, phone number and title had been leaked – little more information than you can retrieve from this article. Others had more clone-able material stolen, like their birthday, email address and travel document number. But is speed really more important than careful investigation when the hackers can move at the speed of light? I felt peace of mind in knowing the full limit of the breach soon after the announcement.
Watch: The declining fortunes of Cathay Pacific
Yahoo cannot be said to have behaved precipitously in 2017 after it took three years to determine that the details of 3 billion customers had been hacked. If Yahoo itself failed to determine the extent of a major security breach for that long, it proves that the hackers are still way ahead of the hacked.
In 2016, I attended a panel on artificial intelligence at Harvard Business School at which the audience was spellbound at the prospect of machine learning. Classes at Harvard are noisy affairs, as knowledgeable, experienced and ego-filled as they come. But one question stilled the class for a chilling second – no one could answer if privacy meant a hill of beans any more.
Cathay is not the first company to be compromised and it won’t be the last; large companies are constantly under attack. British Airways announced last month that it had lost nearly 400,000 transactions containing name, email address, credit card number, expiration date and the three-digit (CVV) code. At least Cathay kept this critical information from being compromised. And it did not leave me stranded with an unused business class ticket at London Heathrow last month after all its staff had gone home.
The list of companies that have admitted major losses include Google+ (since closed down), Facebook (50 million users compromised), Uber (57 million), Reddit, My Fitness Pal (150 million), Equifax (143 million and 200,000 credit cards), Sony, Taobao, the US Democratic National Convention, Trump Hotels, and, most embarrassing, the adultery-promoting website Ashley Madison.
Watch: China denies spying on Trump’s iPhone, suggests he get a Huawei instead
Imagine the impact if several billion of dollars disappeared at the height of a financial crisis. Many of the major banks have already been hit: Bank of America, Citigroup, HSBC, JP Morgan, Wells Fargo and the European Central Bank to name a few. North Korea was believed to have paralysed South Korean banks in 2013. Russian computer hackers, Fancy Bear, leaked private medical records of celebrity athletes stolen from the World Anti-Doping Agency in 2016.
Cathay admitted their breach – how many others do not? Attacking a company for being honest makes it hard for others to admit their failures. Those successful hacks that we do hear about are the tip of the iceberg.
Once we give up our data, we give up control. Data breaches are part of the millennial age. Taking care that data is not used illegally or dishonestly is now everybody’s responsibility.
Richard Harris is chief executive of Port Shelter Investment and is a veteran investment manager, banker, writer and broadcaster and financial expert witness