Cathay Pacific
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
The data breach was detected by the airline in March, and confirmed in May, but was only made public last week. Photo: Alamy

Hong Kong police visit Cathay Pacific HQ to investigate major data breach that hit 9.4 million customers

  • Officers from Cyber Security and Technology Crime Bureau collect evidence from airline’s headquarters in city
  • Meanwhile, privacy commissioner offers legal help to any customer wanting to pursue claim for damages

Hong Kong police on Monday visited the headquarters of Cathay Pacific Airways in response to a request by the company to help investigate a data breach that has seen the personal details of 9.4 million customers leaked.

But the officers from the city’s Cyber Security and Technology Crime Bureau said their task was not an easy one because of the airline’s delay in reporting the incident.

The search for evidence came as Hong Kong’s privacy commissioner took to the airwaves to accuse the airline of failing to cooperate with a probe by his staff into the leak. The commissioner pledged legal help to any Cathay customer wanting to pursue the airline for damages.

Officers from the Cyber Security and Technology Crime Bureau leave Cathay’s offices after collecting evidence linked to the data breach. Photo: Felix Wong

After a two-hour investigation at Chek Lap Kok, a police insider said officers had visited the headquarters to study the airline’s servers and computer systems and check on the progress of follow-up action by the firm and its subsidiary Cathay Dragon.

“We need to know the full picture before conducting any forensic examination. We need to understand how their computer systems and servers work. We also ought to get information such as logging details and the last time the system was upgraded,” the source said.

“We earlier sent the airline a list of items and information we needed. So today we are also checking their progress on this.”

But the insider said the inquiries would be long and difficult as company servers were stored at more than one location.

“The airline only reported this to us seven months after the incident. It is not like looking into the hacking of a single mobile phone. We are talking about the data of millions of passengers. The servers are scattered across many different places.”

Officers from the Cyber Security and Technology Crime Bureau leave Cathay’s offices after collecting evidence on the data breach. Photo: Felix Wong

The director of advocacy group Internet Society Hong Kong doubted whether any substantial investigation would be possible given Cathay’s tardiness in reporting the leak.

The version of the system in place when the incident occurred no longer exists, so how can the investigators find out what actually happened?
Chester Soong, Internet Society Hong Kong

“Waiting six or seven months and undertaking a series of actions they claim to be an investigation or remedial action, is actually, from a law enforcement point of view, tampering with evidence,” Chester Soong said.

He noted the computer system had been written over in the intervening months.

“The version of the system in place when the incident occurred no longer exists, so how can the investigators find out what actually happened?”

The airline reported the breach last Thursday, with representatives of the city’s flagship carrier giving a statement at police headquarters in Wan Chai.

A total of 403 expired credit card numbers and 27 with no card verification value were compromised, along with about 860,000 passport numbers, 240,000 Hong Kong ID card numbers, and millions of names, phone numbers, and email addresses.

Privacy Commissioner Stephen Wong Kai-yi on Monday accused the airline of ignoring his organisation’s request for information six days after the breach was made public.

Speaking on a radio show, Wong said the Office of the Privacy Commissioner for Personal Data was prepared to offer legal help to anyone wanting to submit a claim for damages against the airline.

Privacy Commissioner Stephen Wong discussed the data breach on a radio show on Monday morning. Photo: Edward Wong

“A responsible organisation should give out the facts to us as soon as possible,” Wong said. “Fact is fact, it does not require too much thinking about.”

The airline has come in for heavy criticism for announcing the data leak only last week despite the fact it was detected in March and confirmed in early May.

Wong said his office could offer legal advice or help secure representation from registered practising lawyers. So far the commission had received 24 complaints and 27 inquiries relating to the data breach, but no one had filed an application for help, he said.

Cathay data breach: what you need to know about privacy protection

Wong refused to say if he had himself been a victim of the breach. But he said he had not opened an email from the airline about the incident because he was afraid it was a phishing scam.

Cathay Pacific and IT experts have warned passengers to guard against dubious cyber links as they expect phishing activities to surge following the leak.

“We would like to remind people that emails related to this data security event will only be sent from [email protected],” the airline wrote on its website on Sunday.

The privacy commissioner said his staff had approached the airline requesting preliminary information be made available within 10 days so his office could assess the scale of the incident and see if an in-depth investigation was needed.

Wong said Cathay had yet to respond to the request.

Meanwhile, a British-based law firm has said it plans to seek compensation for Cathay passengers through collective legal action overseas.

It hopes to claim up to £1,500 (US$1,920) for each affected customer, but Hong Kong lawyers have warned it may not be easy for local customers.

The European Union’s General Data Protection Regulation requires companies to disclose breaches within 72 hours. But companies in Hong Kong are not required by law to promptly report any leak. Wong said local authorities were considering changing the rules.

This article appeared in the South China Morning Post print edition as: ‘Belated’ probe begins INTO CATHAY DATA LEAK