Cathay Pacific likely to avoid harsh punishment despite taking months to notify passengers about massive data breach
- Privacy Commissioner Stephen Wong says authorities are considering changing rules to require such leaks to be reported promptly
- Airline says reason for delay was to avoid causing unnecessary panic among customers
Cathay Pacific Airways looks set to escape heavy penalties under Hong Kong, United States and European Union privacy laws, even as it faces universal condemnation for keeping a massive data breach secret for seven months.
The city’s flagship carrier revealed late on Wednesday night that personal details of 9.4 million passengers had been illegally accessed by hackers in March, earning a strong rebuke from the privacy commissioner on Thursday while angry passengers complained about being deliberately kept in the dark.
While the European Union’s new General Data Protection Regulation requires such breaches to be reported within 72 hours, corporate lawyers said Cathay may have narrowly escaped punishment, as the breach was discovered about three months before a rule change on May 25.
Under EU law, companies that fail to report such breaches in a timely manner can now be fined 4 per cent of their annual revenue. Laws in certain European nations, including Germany, France and the Netherlands, stipulate penalties for failure or delay in notifying regulators or affected persons.
The majority of US states have passed laws requiring businesses and government departments to notify citizens of data breaches, but have not spelt out the legal consequences for non-compliance.
Overseas privacy watchdogs, however, may still demand answers from the airline, and failure to protect passengers’ personal data could still be punishable under overseas privacy laws.
“If it took so long, there must be good reason why and what has prevented them for making that [disclosure],” said Singapore-based lawyer Jonathan Kok.
A spokesman for Britain’s privacy watchdog, the Information Commissioner’s Office, confirmed to the Post that it had received a report from the airline and would follow up.
Cathay Pacific CEO Rupert Hogg said he was “truly sorry” in a nearly two minute-long video posted on the company website to address affected customers.
“We never forget, we must earn and maintain your trust .. I’m truly sorry for the concern that this may have caused,” Hogg said, reiterating the airline’s claim that no data was found to have been misused so far.
Explaining Cathay’s failure to report the attack sooner, chief customer and commercial officer Paul Loo Kar-pui said on a radio show that it was to avoid “unnecessary panic” among customers.
“We understand the sensitivity in handling this issue. So we hope to do better preparation … so our clients will know whether they are affected and how,” he said.
We have discovered unauthorised access to some of our passenger data. For Data Security Event support, please DM @cxinfosec for assistance.
— Cathay Pacific (@cathaypacific) October 24, 2018
Loo conceded Cathay had only reported the leak to the privacy commissioner, police and other authorities on Wednesday. Affected customers learned of the problem through the media, and were only officially informed on Thursday afternoon by the airline that their personal information had been compromised.
The airline said it had discovered that the personal customer data of Cathay Pacific and its subsidiary, Cathay Dragon, had been accessed without authorisation, including passenger names, nationalities, dates of birth, identity card numbers and travel history.
A total of 403 expired credit card numbers and 27 credit card numbers with no card verification value were compromised, along with around 860,000 passport numbers and 240,000 Hong Kong ID card numbers.
Loo revealed that 50,000 Hong Kong passport numbers had been accessed. More than half the leaked data included names with phone numbers or email addresses.
He said there was no evidence that passwords, Asia Miles or Marco Polo Club account information had been illegally accessed.
The suspicious activity was detected in March, when abnormal data migration between different systems was found during a regular server check. The company conducted a cybersecurity investigation afterwards and confirmed the breach in early May.
Citing an insider source from the airline, VXRL security researcher Anthony Lai Cheuk-tung said it was possible Cathay’s IT vendor, which was authorised to access the customer database, may have been hacked.
“A separate security vendor detected and blocked the hacker’s attempt to intercept passengers’ information from the IT vendor some time in March, but the hacker managed to eventually bypass and access the information in the database,” Lai told the Post.
“The airline has been carrying some 2 million passengers per year, so a good guess would be their customers from all around the world have been affected.”
Many Cathay Pacific customers were incredulous that it had taken so long to alert them.
“It is quite outrageous ... Hong Kong people are very sensitive about their personal data, and Cathay must be well aware of that,” said customer and shareholder Simone Chen. “We can tolerate the bad food quality, but not the [lack of] data privacy protection.”
Another customer, Ada Lam, said: “I won’t fly Cathay any more – unless no other options are open.”
Eric Fan Kin-man, of the Hong Kong Information Technology Federation, said he did not understand why Cathay had put customers at risk by failing to report the data breach on time.
Lawmakers across political spectrum were united in condemning the airline response.
“It is unacceptable to only disclose the incident half a year after it actually happened, and passengers may have missed the opportunity to indemnify themselves from any loss,” pro-establishment lawmaker Elizabeth Quat said.
Opposition lawmaker Andrew Wan Siu-kin called on Cathay to cancel its plans for another fuel surcharge to be imposed from November.
Privacy Commissioner Stephen Wong Kai-yi said although there was no legal requirement in Hong Kong for the data breach to be reported, Cathay had not fulfilled its moral responsibility to notify affected passengers quickly enough.
“Cathay should have sent notifications as soon as suspicious activities were detected to seek solutions together,” Wong said.
He would consider seeking tougher rules to avoid a repeat scenario, he added.
Loo said Cathay would email all affected customers within the next couple of days, and had set up a webpage on the data breach as well as a hotline for inquiries.
The security vulnerability was fixed when it was found, and no unusual activity had been discovered so far, he said.
The company said it was offering further help to affected customers through a data and information service provider to check if their personal information was available on public websites, online chat rooms and even the dark web – a section of the internet that can be accessed only with special software, settings or permission.
Cathay Pacific representatives went to police headquarters in Wan Chai on Thursday morning to make a statement after reporting the breach to the force over the phone on Wednesday night.
Sources with knowledge of the airline’s IT infrastructure suggested that a simple error, rather than a sophisticated attack, could have paved the way for the breach to go undetected.
Additional reporting by Christy Leung and Simone McCarthy