Cathay Pacific

With Cathay Pacific bosses set for grilling on massive data breach, is carrier heading for hefty EU fine?

  • Hong Kong lawmakers want to know exact details of hacking attack, which airline on Monday revealed had lasted for longer than it said earlier
  • Tough new European Union privacy regulations came into force on May 25
PUBLISHED : Wednesday, 14 November, 2018, 7:34am
UPDATED : Wednesday, 14 November, 2018, 12:05pm

All eyes are on whether Cathay Pacific Airways may face a hefty penalty over its massive data leak after it revealed on Monday that the hacking activities might have stretched beyond the effective date of tough new European Union privacy regulations.

Management of the airline, which has shied away from the Post’s questions related to the exact duration of the data breach that involved 9.4 million customers, will be grilled by lawmakers at a Legislative Council meeting on Wednesday morning.

LIVE: Cathay Pacific bosses face Hong Kong lawmakers over hacking

Legal experts had previously said the airline would probably be spared from the EU’s new General Data Protection Regulation (GDPR), which took effect on May 25. That was because Cathay had said it only detected the problem in March and had it confirmed in early May. The new law was not retroactive.

However, the airline on Monday revealed in a written submission to lawmakers ahead of the Legco hearing that the attack lasted for far longer than it previously admitted.

It did not disclose if the later hack attacks were successful or how long the infiltration lasted.

“These ongoing attacks expanded the scope of potentially accessed data,” it said, without disclosing whether there were breaches after May 25.

Cathay Pacific cyberattack far worse than thought, carrier admits

Craig Choy Ki, convenor of the Progressive Lawyers Group, said that under the new rules, companies were required to report data breaches to supervisory authorities within 72 hours. They could face a fine of 2 to 4 per cent of their annual global revenue, depending on how the GDPR had been infringed.

Cathay’s global revenue in 2017 was HK$97 billion (US$12.4 billion), so, for example, a 4 per cent fine would be HK$3.88 billion.

Andrew Dyson, an expert in privacy law and partner at DLA Piper based in London, said that if a company faced a significant data breach it was generally advisable to notify regulators and customers in a proactive way.

“Even in the pre-GDPR world, I’d be suggesting you talk to the regulators about what’s happening,” Dyson said.

Experts familiar with EU law also noted that if there was a second round of hacking, Cathay would have a defence that it was related to the first attack, and regulators would need to get the facts straight first.

Cathay chairman John Slosar, CEO Rupert Hogg and Paul Loo, chief customer and commercial officer, will appear before lawmakers.

Jeremy Tam Man-ho, a Civic Party lawmaker, said he really wanted to know “how it happened” and at what point did the company first identify data was hacked. He also wanted to know whether the airline had cut or increased spending on data security in previous years.

What victims of Cathay Pacific data leak can do to protect their data

However, lawmakers were divided on whether to invoke the rarely used Legislative Council (Powers and Privileges) Ordinance to compel the company to hand over evidence and to summon witnesses.

Tam said use of the ordinance would depend on the airline’s answers.

But pro-establishment lawmaker Elizabeth Quat doubted the need to invoke the ordinance as she believed the airline had not committed a crime under local privacy laws.

The airline disclosed the breach on October 24. Information accessed by the hackers included a combination of passengers’ names, nationalities, dates of birth, telephone numbers, email and home addresses, frequent flier programme membership numbers, passport numbers, Hong Kong ID card numbers and expired credit card numbers.

Hong Kong government weighs in on Cathay Pacific data breach

Among the unanswered questions for Cathay are:

When did the airline’s top management learn about the hack and at what point did they feel the need to disclose the breach?

Which database was hacked, did it involve a subcontractor, and how did the airline handle the collection of data in the first place?

When did the attacks finally stop and for how long were the hackers successful in obtaining data?

Customers from which countries were affected?

Meanwhile, the Post reached out to people affected by the data leak and found that most were members of the Asia Miles loyalty scheme.

Of the 64 people spoken to, 90 per cent had Asia Miles memberships with a handful of those customers part of the airline’s frequent flier Marco Polo Club programme.

Hong Kong-based IT worker Jason Wong, a member of the Marco Polo Club programme, said: “Even though Cathay claimed they were trying to investigate and fix the problem, it doesn’t mean that they don’t have a responsibility to tell the public. There should be a better way to communicate and improve transparency to the public, rather than trying to hide it at the back.”

Marco Polo Club and Asia Miles member Thomas Ng, a director of a Hong Kong security company, was less than impressed with Cathay.

“As soon as they discovered the breach they should have announced it publicly so that people like myself could take the necessary precautions,” he said.