‘Cathay Pacific should have alerted shareholders earlier about massive data leak’: calls for Hong Kong stocks regulator to probe matter
- Airline only reported case to stock exchange as ‘inside information’ when approached by the Post
- Disclosure questioned under Securities and Futures Ordinance, especially since announcement was made after Cathay’s interim results in August
The five-month delay by Cathay Pacific Airways in notifying 9.4 million passengers about a data leak has sparked questions over whether the airline should have alerted its shareholders more promptly.
Legal experts said news of the breach in May could affect the company’s share prices and urged regulators to look into why it took so long for Hong Kong’s flag carrier to come clean.
One senior lawyer involved with public bodies overseeing financial policies and regulations noted that Cathay Pacific’s announcement on the night of October 24 was filed as “inside information”.
“The announcement showed the airline was treating the incident as inside information, as opposed to a voluntary disclosure, so it’s only a matter of when Cathay made that call,” said the legal source who did not wish to be named.
This was echoed by shareholder advocate David Webb: “From what is publicly known, it appears the board and senior management knew, or should have known, about the data breach by May 2018.
“They should have recognised it was price-sensitive information to be disclosed under the Securities and Futures Ordinance.”
Under section 307B of the ordinance, a listed company must disclose inside information to the public, “as soon as reasonably practicable after [it] has come to its knowledge”.
The largest data breach in Hong Kong’s history however was kept secret from Cathay passengers and shareholders for months, after the airline detected the unauthorised access in March and confirmed it in early May.
The Post first learned about the leak and reached out to Cathay for a response at about 8pm on October 24. Two hours later, instead of issuing a press release or responding to inquiries, the airline announced it was hacked on the stock exchange’s disclosure platform.
The airline confirmed about 860,000 passport numbers and 240,000 Hong Kong ID card numbers, among other personal information, were accessed.
Cathay’s share price plunged 3.3 per cent the next day – higher than the Hang Seng Index’s drop of 1 per cent on the same day.
Goldman Sachs warned Cathay’s reputation could be affected, but said the expected price of HK$17.2 per share would be maintained.
Syren Johnstone, executive director of the LLM (compliance and regulation) programme at the University of Hong Kong’s law school, said in general, while a case of data hacking might not necessarily be inside information, it also depended on what had been accessed and the implications for a company’s security system as a whole.
Johnstone said Cathay’s delay to inform the market was a concern that required further investigation by regulators to establish facts. He said he expected the Securities and Futures Commission (SFC) to take a closer look at why the hacking was announced after Cathay’s interim results in August, “when the data breach had been confirmed internally but not publicly”.
“Directors should have been aware of the data breach long before their August board meeting to announce the interim results,” Johnstone added.
“If they were not aware, it suggests they may not have appropriate safeguards in respect of their disclosure obligations, which is itself a breach of the Securities and Futures Ordinance.”
Webb suggested the SFC take the case to the Market Misconduct Tribunal over the 2.8 per cent difference in Cathay’s share price to the market average.
“If the tribunal rules against the parties involved, then shareholders who purchased shares between May and October 2018 would be able to use that finding as evidence in a claim that they had overpaid for the shares because they had not been informed about the data breach,” he said.
Cathay did not respond to a Post request for comment. The airline’s company secretary David Fu Yat-hung also did not reply by press time to an inquiry about when it would have disclosed the breach had it not been approached by the media.
Both the SFC and Hong Kong stock exchange said they would not comment on specific cases.
A Post analysis of three major disclosures over data leaks suffered by Hong Kong-listed companies showed they made their cases public no longer than six days after the discovery of the incidents.
On November 14, the personal information of five million customers of toy maker VTech Holdings Limited was suspectedly accessed illegally. The case was noted by the company 10 days later and it announced the breach on November 30.
VTech alerted customers about the scale and types of data leaked, while shareholders and potential investors were reminded to exercise caution when dealing in its shares because a data breach assessment was pending at the time.
In 2017, personal information – such as ID card numbers, passport numbers and credit card numbers – of about 200,000 customers of travel agency WWPKG Holdings were leaked.
Earlier this year, data such as the credit card details of some 380,000 clients of telecommunications company HKBN were breached.
WWPKG and HKBN released inside information announcements within two days of the detection of the breaches, and held press conferences to explain details.
In the United States, a delay in the disclosure of a data breach could result in a penalty by the country’s regulator.
In April this year, Yahoo, now known as Altaba, was fined for taking more than two years to disclose a large data breach affecting more than 500 million accounts, involving emails, birth dates, and passwords.
The details of the case were reported to Yahoo's senior management and legal department, but not disclosed until two years later in an acquisition talk with Verizon.
Altaba settled with the US Securities and Exchange Commission over a US$35 million (HKD$280 million) fine.