Cathay Pacific urged to extend free ID monitoring service in wake of massive data breach affecting 9.4 million passengers
- Online security expert says four to six years of surveillance needed to match lifespan of credit card
- Lawmaker Charles Mok disagrees, saying involvement of contractor ‘complicates the problems’
Cathay Pacific Airways is facing a call from the Hong Kong IT industry to extend its free identity surveillance service from 12 months to several years to better protect passengers’ personal data after a massive data breach was revealed earlier this week.
The 9.4 million affected passengers started receiving notification emails from the city’s flagship carrier on Thursday detailing the nature of the personal details, such as names, nationalities and travel document numbers, that had been illegally accessed in March.
The airline also offered them a 12-month free ID monitoring service by a third-party provider, which would sweep cyber outlets to see whether any passenger data was available on social platforms and the dark web – a section of the internet that can be accessed only with special software, settings or authorisation.
“This service [IdentityWorks Global Internet Surveillance] monitors if your personal data may be available on public websites, chat rooms, blogs and non-public places on the internet … such as dark web sites,” the email read. “This is an optional service, and how much information to include in the identity monitoring is completely at your discretion.”
Anthony Lai Cheuk-tung, founder and security researcher at Valkyri-X Security Research Group, said the service should be extended to four to six years, as that was the lifespan of a credit card, while Hong Kong residents would soon replace their identity cards, with the exercise set to be completed in 2022.
“By then, all Hong Kong residents will have their ID cards upgraded and credit cards expired. This would be better protection,” Lai said on a radio show on Friday morning.
“Otherwise, if I were the hacker, I would rather wait for a year before I sold the data online.”
But lawmaker Charles Mok, who represents the IT sector, did not agree, saying this would mean that the personal data would be further handled by a third party – the contractor.
“Is the company that provides the surveillance service reliable? To a certain extent, it just complicated the problems,” said Mok, who also received an alert from the airline telling him six pieces of his personal information had been leaked.
Cathay Pacific is facing widespread condemnation for keeping the leak secret for seven months. Although the hackers had illegally accessed the data in March, the company revealed this only late on Wednesday night. The airline also reported the leak to the privacy commissioner, police and other authorities only on the same day.
The delay earned the airline a strong rebuke from the privacy commissioner, while angry passengers complained about being deliberately kept in the dark, prompting Cathay Pacific CEO Rupert Hogg to apologise.
The carrier’s chief customer and commercial officer Paul Loo Kar-pui defended the delay on Thursday, saying that it was to avoid “unnecessary panic” among customers.
Personal data for customers of Cathay Pacific and its subsidiary, Cathay Dragon, had been accessed without authorisation, including passenger names, nationalities, dates of birth, identity card numbers and travel history.
A total of 403 expired credit card numbers and 27 credit card numbers with no card verification value were compromised, along with about 860,000 passport numbers, including 50,000 Hong Kong ones, and 240,000 Hong Kong ID card numbers.
Loo said more than half the leaked data included names with phone numbers or email addresses, adding that there was no evidence that passwords, Asia Miles or Marco Polo Club account information had been illegally accessed.
Cathay Pacific has refused to further comment on where the affected passengers are from, although it has set up hotlines in 35 countries.
Britain’s privacy watchdog has confirmed that it received a report from the airline about the incident and is following up "to verify the details".
The offices of Australia and New Zealand’s privacy commissioners said they could launch an investigation on the breach but would not comment or had not decided yet.
Canada and Ireland's privacy commissioners’ offices said they had not received a report from Cathay Pacific.
Additional reporting by Alvin Lum