Hong Kong’s privacy watchdog launches formal investigation into massive Cathay Pacific data breach

  • Personal details of 9.4 million passengers had been illegally accessed by hackers in March
  • Decision to launch investigation follows row between current and former privacy commissioners
PUBLISHED : Monday, 05 November, 2018, 10:55pm
UPDATED : Tuesday, 06 November, 2018, 1:47am

A formal investigation is being launched over the massive data breach at Cathay Pacific Airways that affected millions of its passengers, Hong Kong’s privacy watchdog announced on Monday.

The decision followed a row between the watchdog’s current and former heads over whether a probe could have been launched immediately, given the scale of the breach.

Following a “compliance check”, there were now reasonable grounds to believe that the airline may have contravened legal requirements, Privacy Commissioner for Personal Data Stephen Wong Kai-yi said in a statement.

“The compliance investigation is going to examine in detail, among others, the security measures taken by Cathay Pacific to safeguard its customers’ personal data and the airline’s data retention policy and practice,” said Wong.

The Personal Data (Privacy) Ordinance empowers the commissioner to carry out public hearings, summon witnesses and enter the premises of Cathay and its subsidiary Hong Kong Dragon Airlines, requiring them to provide evidence as part of an investigation.

Wong’s predecessor Allan Chiang Yam-wang – privacy chief from 2010 to 2015 – had criticised Wong last week for opting for “lax action” instead of a formal probe.

Chiang reiterated on Monday night that a compliance check had been “pointless” and a “waste of public resources and time” given the size of the breach and mounting public concerns.

Cathay Pacific data leak warrants formal investigation, Hong Kong ex-privacy chief says in break with successor

“The company’s management clearly told its clients and the public that there was a problem in its security system,” he told the Post. “The information was not some overheard rumours. I cannot think what else [the commission] would still need before launching an investigation.”

Compliance checks do not oblige organisations to cooperate, and there was nothing to prevent them from providing misleading information to thwart a probe, Chiang said.

An investigation, however, meant a company would be criminally liable if it did so.

He said there were “notable examples” during his tenure where investigations were launched directly.

In his statement, Wong defended his decision to conduct a preceding check as an “established policy and practice”.

“It is entirely incorrect and irresponsible to suggest that after a compliance check, the process of a compliance investigation will automatically stop,” he said.

IT sector lawmaker Charles Mok said the watchdog’s investigations were still mostly toothless and suggested the government amend laws to make notification of potential privacy breaches mandatory. The commission should also be given more powers to launch criminal investigations and initiate prosecutions, Mok added.

As of 5pm on Monday, the watchdog had received 108 enquiries and 89 complaints relating to the breach.

Cathay Pacific data leak: what can customers affected do to protect personal data and get redress?

A spokesman for Cathay Pacific said the company was studying the watchdog’s statement and would continue to cooperate fully.

Cathay Pacific late last month said that personal details of 9.4 million passengers had been illegally accessed by hackers in March and it was only able to confirm the breach in May.

The compromised data included passengers’ names, nationalities, dates of birth, telephone numbers, emails, physical addresses, frequent flier programme membership numbers, passport numbers, Hong Kong ID card numbers and expired credit card numbers.