bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

hooksAmpRedirectArticle

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

paywallTypes

createdDate

publishedDate

sponsorType

urlAlias

moreOnThisArticles

commentCount

authorLocations

authors

corrections

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

articleSpeeches

socialHeadline

headline

images

flag

firstTopic

glossary

flattenTypeIds

image

relatedLinks

relatedNewsletters

__typename

sponsor

pdfFiles

seriesReverseOrder

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

readingTime

customTimezone

liveContents

Danny Lee

A major cyberattack that saw the data of 9.4 million Cathay Pacific Airways customers stolen by hackers was far worse than the airline has previously admitted.
Rather than the “suspicious activity” it said it had discovered on its billion-dollar computer network in March, the carrier revealed on Monday that it had been the target of an intense attack lasting more than three months.
LIVE: Cathay Pacific bosses face Hong Kong lawmakers over hacking
Cathay made the shock admission in a written submission to Hong Kong lawmakers ahead of a committee hearing to question the airline’s management team on Wednesday morning.

Such was the intensity of the attack, Cathay said internal and external IT security experts had to focus solely on containment and prevention throughout March, April and May.
The airline also revealed it had spent HK$1 billion (US$128 million) over three years on IT infrastructure and security, but it was not enough to stop what it called “sophisticated attackers” repeatedly targeting and breaching its system.
Cathay’s investment in its IT system included spending on two large data servers and cloud computing, and came during a period when it generated HK$292 billion (US$37 billion) in revenue.
On October 24, the airline revealed it had suffered a major data breach seven months earlier, and said it had taken steps to investigate whether customer data had been compromised.


It took until mid-August for investigators to discover what hackers had been able to steal, and how it had affected customers.
“Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter,” the airline said in its statement. “These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention.”
Cathay’s revelations contradict statements it made earlier about what it knew about the cyberattack, and when.
Hong Kong government weighs in on Cathay Pacific data breach
Questioned on a radio show a day after revealing the hack, Paul Loo Kar-pui, the airline’s chief customer and commercial officer, said the company was not able to confirm if its IT system had been breached until early May.
At the time, he did not mention the fact the firm had been subjected to attacks for more than three months.
The hack has prompted a formal investigation by the Hong Kong privacy watchdog, while a police investigation is ongoing.
“The investigation was complex, longer than what we would have wished, and we would have liked to have been able to provide this information sooner,” the airline said.
Cathay, one of Asia’s largest international carriers, has been roundly criticised for not telling customers about the hack immediately. On Monday it repeated expressions of “great regret” and “sincere apologies” to the affected passengers, and hoped to “continue to earn their confidence and trust”.
Worried after Cathay’s data breach? Here’s all you need to know
“Throughout our investigation into this incident, our foremost objective and primary motivation has been to support our affected passengers by providing accurate and meaningful information,” the statement said.
Lawmaker Charles Mok, representing the IT sector, said the company had missed three opportunities over the course of seven months to go public.
“March, May, August they missed all these opportunities to report it,” said Mok, who was unequivocally critical of the airline’s briefing note given to the Legislative Council.
“I think the answers are very vague… they didn’t elaborate.”
Information accessed by the hackers included passengers’ names, nationalities, dates of birth, telephone numbers, email and home addresses, frequent flier programme membership numbers, passport numbers, Hong Kong ID card numbers and expired credit card numbers.
Of the 9.4 million people affected, customers included members of the Asia Miles loyalty programme, the Marco Polo Club frequent flier scheme, as well as non-member passengers.
Cathay CEO Rupert Hogg, chairman John Slosar and Loo, who is responsible for the airline’s IT division and chairman of Asia Miles, are expected to attend the committee hearing on Wednesday.
Additional reporting by Karen Zhang, Alvin Lum and Simone McCarthy


Hong Kong’s Cathay Pacific to increase profit-sharing bonus after strong recovery

‘Technical issue’ forces Hong Kong-bound Cathay flight to return to Kaohsiung

Hong Kong Lunar New Year parade to feature Labubu, wishing tree on floats

Hong Kong’s Cathay Pacific rebrands Dragonair subsidiary in 2016 – from the SCMP archive

Cathay Pacific

Cathay Pacific cyberattack far worse than thought after airline admits facing intense hack for more than three months

Cathay Pacific has said the cyberattack, in which data from 9.4 million customers was accessed, lasted more than three months. Photo: EPA

Image of Cathay Pacific check-in aisles and counters at the Hong Kong International Airport in Chek Lap Kok. 29OCT18 SCMP / Felix Wong

News

Hong Kong

Law and Crime

Hong Kong Economy

Airline makes shock revelation in written submission to Hong Kong lawmakers ahead of committee hearing to grill management
Carrier spent HK$1 billion on computer network, but it wasn’t enough against ‘sophisticated attack’


Airline makes shock revelation in submission to Hong Kong lawmakers and admits it was subjected to intense, repeated hacking for more than three months.
