Cathay Pacific

Hong Kong government weighs in on Cathay Pacific data breach, urging airline to cooperate with privacy watchdog in investigation

  • Authorities express serious concern over data leak affecting 9.4 million passengers
  • Victims sceptical over providing more data to third-party ID monitoring service roped in by airline
PUBLISHED : Friday, 26 October, 2018, 9:46pm
UPDATED : Saturday, 27 October, 2018, 2:50pm

Authorities in Hong Kong have for the first time weighed in on the massive data breach suffered by Cathay Pacific Airways as they pressed the airline to fully cooperate in an investigation with the city’s privacy watchdog.

The government issued a statement on Friday expressing serious concern as affected passengers also questioned whether remedial measures taken by the city’s flag carrier were sufficient, with some worrying there would be further risk of data breach.

The airline has roped in third-party information service company Experian to provide free ID monitoring services for those affected, but this meant customers’ data would be made available to the vendor.

On Thursday, 9.4 million passengers started receiving notification emails from Cathay Pacific about the breach. It was revealed that personal details, such as names, nationalities, and travel document numbers, had been illegally accessed in March.

The airline came under fire from the Office of the Privacy Commissioner for Personal Data, for not disclosing the problem until more than half a year later. Cathay apologised for the leak on Thursday.

Responding to an inquiry from the Post on Friday, the company said it would “cooperate fully with authorities”. It added it was in the process of contacting affected passengers over multiple communication channels, and providing them with steps they could take to protect themselves.

Cathay Pacific urged to extend free ID monitoring service after data leak

A spokesman for the Constitutional and Mainland Affairs Bureau said the government was “highly concerned” about the incident, and noted that the privacy watchdog had launched an investigation, urging the airline to take immediate remedial actions.

“We have requested Cathay Pacific Airways to fully cooperate with [the office] on the compliance check,” the spokesman added. “We also hope the office will complete the check and make a report expeditiously so that Cathay Pacific Airways can comply with the requirements.”

The government said it would jointly review requirements and penalties in the privacy ordinance with the watchdog, and consider steps to enhance data protection and notification procedures in the city concerning data breaches.

As of 4pm on Friday, the privacy watchdog received 24 complaints and 27 inquiries related to the Cathay case.

Worried after Cathay’s data breach? Here’s all you need to know

The carrier is offering an optional 12-month ID monitoring service to affected passengers in case their compromised data becomes available on “public websites, chat rooms, blogs and non-public places on the internet … such as the dark web”.

But some are wary of offering their information to a third party vendor. Isabella Chan, a Shanghai-based marketer who is affected by the leak, said she was worried about the use of the service.

I really don’t see why we should give more data to a third party when we are already at risk from a data security breach
Isabella Chan, affected passenger

“I really don’t see why we should give more data to a third party when we are already at risk from a data security breach,” said Chan, whose mother was also affected. “While Cathay seems to be taking the proactive approach to offer a free service for affected customers, they never explained this service to us.”

Winnie Cheng, a Hong Kong-based digital marketer who is another affected Cathay customer, found that only her email address was compromised after running her data through the monitoring service. But this did not soothe her fears.

“I’m affected emotionally, thinking that my passport details could have been stolen and misused – I’m very concerned about this,” Cheng said.

Data security and privacy specialist Chester Soong, director of Internet Society Hong Kong, believed the concerns over further data leaks were justified.

“If you pass your data to someone else, it is [inviting] another kind of trouble,” Soong said.

Young Wo-sang, convenor of the internet security and privacy working group at the society, agreed. He suggested that Cathay reveal more information about the incident, such as the geographical location of where the data was illegally accessed.

“Passengers can then assess the risk level by themselves,” Young said, adding that the abuse of personal information in some countries, such as Russia and those in South America, was higher.

If you pass your data to someone else, it is [inviting] another kind of trouble
Chester Soong, Internet Society Hong Kong

Commissioner of Police Stephen Lo Wai-chung said on Friday that the airline made an official report on Thursday, and officers were still taking statements and gathering evidence.

He urged members of the public to stay vigilant and monitor their bank accounts.

“If residents fear their information would be leaked, they should consider changing passwords,” Lo said. “If they receive suspicious emails and phone calls, they can report this to police and call the anti-deception hotline. They should also remain alert to any suspicious bank transactions.”

The Consumer Council said it was “highly concerned” about the incident and called it “unsatisfactory” that the airline did not disclose the matter to the public immediately after it was detected.

It urged Cathay to explain to affected passengers in detail the severity of the case and provide appropriate help.

Gilly Wong Fung-han, the council’s chief executive, revealed on Friday that she was among those affected. She said on a radio show she had been notified by Cathay that her name and phone number could have been leaked.

Meanwhile, Experian chief marketing officer Sisca Margaretta said Cathay customers’ data was “a top priority”. She added that information provided would be used solely for identity monitoring and not be shared with any other entity.