Cathay Pacific

Here’s what we know, and don’t know about the Cathay Pacific cyberattack after airline bosses faced lawmakers

  • Cathay Pacific trio spend two hours being grilled by lawmakers at Legislative Council
  • Their answers do not leave everyone happy
PUBLISHED : Wednesday, 14 November, 2018, 3:59pm
UPDATED : Wednesday, 14 November, 2018, 5:54pm

Lawmakers grilled Cathay Pacific bosses for two hours on Wednesday about the massive cyberattack that hit the airline this year.

Called “pathetic” by Claudia Mo, and generally attacked for most the time they spent at the Legislative Council meeting, airline CEO Rupert Hogg, chairman John Slosar and Paul Loo Kar-pui, the chief customer and commercial officer, did their best to answer, or not, the questions put to them.

Here are some of the things we now know, and some things we still do not, about the hack that hit 9.4 million customers.

Who was affected?

We finally have some numbers for this, and it does not make good reading for Cathay. Of the 9.4 million people who had personal details accessed, 245,000 Hong Kong identity card holders, and 55,000 Hong Kong passport holders were affected.

Cathay did not give a breakdown for the remaining 9.1 million, although it did reveal that it is being questioned by 27 regulators from 15 jurisdictions.

Cathay under fire worldwide on data breach – ‘one of its worst crises’

Why did it take so long to tell the public?

A question Cathay bosses did a good job of not answering. Hindsight is a wonderful thing, and Slosar admitted that he would have done things differently.

Mo was not convinced and asked the bosses what had happened to the public’s right to know.

The closest we got to an answer was that the airline needed time to investigate before telling people their data had been stolen.

Cathay also decided not to tell the stock market sooner because, as Slosar said, the airline believed that the breach was “not material and not price sensitive”.

How much will this cost Cathay?

Again, not a question with a straight answer. If the European Union opts to fine the carrier under new rules, then it could be between 2 and 4 per cent of their annual global revenue. Cathay’s global revenue in 2017 was HK$97 billion (US$12.4 billion), so, for example, a 4 per cent fine would be HK$3.88 billion.

There seems less threat of Cathay being fined at home, with the law allowing for a HK$50,000 slap on the wrist.

As Civic Party lawmaker Alvin Yeung Nok-kiu pointed out: “You can’t even buy a business class ticket from Cathay with that. This tells us why we need a review of the privacy law.”

However, the loss of trust among passengers could be far costlier, especially as Hogg and Slosar repeatedly refused to address the issue of compensation.

The closest the pair came was in making vague promises of “special offers that people can get excited about”.

What did the airline’s management say?

Chairman John Slosar did say that he would like to “personally apologise to the people of Hong Kong” and said the airline accepted its accountability for the incident.

He revealed that the airline blocks 16,000 external emails a month that contain viruses. His CEO said Cathay regretted the length of time it took to disclose the incident. His assertion that the company’s “intention was good” brought a caustic response from Mo.

As it happened: 'pathetic' Cathay slammed by Hong Kong lawmakers

So, what do we still not know?

So many things. The question of compensation, fines, and if anyone at Cathay will resign over the incident all remain unanswered.

We still don’t know the make-up of the 9.1 million passengers who aren’t from Hong Kong, and why Cathay did not follow the privacy guidelines for reporting a breach in time.