Cathay Pacific data leak: airline warns customers to guard against phishing attempts
- Beleaguered Hong Kong airline says it is aware of attempted fraud, targeting some of the 9.4 million passengers whose data was hacked
- Cybersecurity experts call for Hong Kong to introduce a law that would force companies to declare data leaks within days
Cathay Pacific Airways and IT experts have warned passengers to guard against dubious cyber links, as they expected phishing activities to surge following the massive data leak.
The city’s flagship carrier revealed belatedly on Wednesday night that the data of 9.4 million passengers had been illegally accessed, despite the breach being detected in March and confirmed in early May.
“We are aware that attempted phishing is taking place, and would like to remind people that emails related to this data security event will only be sent from [email protected],” the airline wrote on its website.
Passengers should not click on variations of links to data monitoring services, it added.
The airline has not immediately responded to a Post inquiry asking what online platforms these phishing activities were discovered on, and how many enquiries Cathay Pacific has received.
Phishing activities are commonly disguised messages sent by email or on social media using addresses or sites that resemble those of a reputable sender, in this case, Cathay. Typical phishing messages include links re-routing to suspicious websites, which may prompt for sensitive information to be submitted or for corrupted files, known as malware, to be downloaded.
“The number of users affected are quite a lot in this breach, and there could be phishing emails or calls purporting to represent the company,” said Wilson Wong Ka-wai, the head of Hong Kong Computer Emergency Response Team Coordination Centre at the Productivity Council.
“People should be careful when handling financial transactions involving personal information,” he said.
The centre also reminded passengers that the 12-month free data breach surveillance service offered by Cathay to affected passengers would involve handing personal information to a vendor. “Theoretically this will pose an additional data security risk,” the centre said in a reply to Post’s questions.
Michael Gazeley, managing director of Network Box Corporation, a cybersecurity service provider, said it would not be surprising to see more phishing activities following the leak, with hackers playing on the fears of worried customers.
“The CX case may well result in ‘spear phishing,’ where stolen details are used to customise phishing emails, to make them far more target-specific and believable,” Gazeley said, adding that once personal information hits the dark web it can then be aggregated with other existing leaked data belonging to victims.
According to the airline, a total of 403 expired credit card numbers and 27 credit card numbers with no card verification value were compromised, along with about 860,000 passport numbers and 240,000 Hong Kong ID card numbers.
It said more than half the leaked data included names with phone numbers or email addresses, and there was no evidence that passwords, Asia Miles or Marco Polo Club account information had been illegally accessed.
Cathay has drawn a chorus of criticism for the way it handled the breach. The Hong Kong government also weighed in on Friday, saying it was highly concerned and pressing the airline to cooperate fully with an investigation by the Office of the Privacy Commissioner for Personal Data.
The government said it would jointly review requirements and penalties in the privacy ordinance with the watchdog, and consider steps to enhance data protection.
Speaking on an RTHK programme on Sunday, data protection experts agreed Hong Kong’s privacy law should be revised to require companies to promptly declare data breaches.
Companies operating in Hong Kong or handling citizens data are not required by law to promptly report any data breach. The European Union’s latest General Data Protection Regulation (GDPR) require companies to disclose breaches within 72 hours.
Lau Wing-cheong, an associate professor at Chinese University’s department of information engineering, said a new law might require companies to notify regulators and affected customers “within a reasonable time”.
“Speaking also as a victim [of this breach myself], I think the airline should alert the regulator and seek an extension for the necessary investigation. But it’s absolutely unacceptable people were not notified [until now],” Lau added.