Cathay Pacific under fire from 15 countries on data breach, bosses reveal as they address ‘one of Hong Kong airline’s worst crises’
- Top executives face lawmakers over hack that has affected 9.4 million passengers, and say there was ‘no attempt to cover anything up’
Cathay Pacific Airways on Wednesday said it was facing one of the worst crises in its history as the airline revealed it was being questioned by 27 regulators from 15 jurisdictions over a data breach that has affected 9.4 million passengers.
The disclosure came as top executives from the airline underwent a grilling in the Hong Kong legislature during which they said the majority of affected passengers were from outside the city.
Lifting the lid on the extent of the impact, the executives said 245,000 Hong Kong identity card holders and 55,000 passport holders in the city had been affected. They did not profile the passengers overseas.
Lawmakers called Cathay “pathetic” and accused the carrier of covering up the breach after the airline took seven months to make it public. The incident took place in March but was only announced on October 24.
But Cathay said there had been “no attempt to cover anything up”. It said several internal deficiencies and errors would be resolved.
Legislators demanded compensation for affected customers.
The airline said it was unable to determine the financial impact on its business, but if the carrier is found in breach of new European Union data privacy laws, it could face a fine of up to 4 per cent of annual global revenue.
As it happened: Cathay Pacific boss apologises to people of Hong Kong for massive data breach
The executives said it was “very early days” on the question of fines.
Cathay chairman John Slosar personally apologised and conceded that data had been “improperly accessed”.
The carrier “accepted its accountability” for the hack, he added.
“The incident is a crisis,” Slosar said. “It is one of the most serious the airline has faced.”
He went on to outline promises to improve IT security and training, and said law enforcement authorities would be brought in earlier in future.
Cathay also committed to improvements in internal reporting, board governance and risk management.
What we know, and don’t know, about Cathay cyberattack
There would be many other lessons, Slosar said. He added that the airline was “listening”.
Attempts to resolve and reveal the incident had been frustrated by repeated hacks and the large amount of data involved, the carrier said, explaining its delay in disclosure.
CEO Rupert Hogg said the airline “regretted the length of time” involved but insisted Cathay had been striving to offer each customer accurate information on stolen data.
The intention had been good, Hogg said, but he apologised for the execution.
Asked by the press later whether the company was shying away from announcing compensation, Hogg said “not at all”.
Affected customers were urged to get in touch with the airline, and compensation would be considered on a case-by-case basis, he said.
Is Cathay Pacific heading for hefty EU fine?
Hong Kong constitutional affairs minister Patrick Nip Tak-kuen on Wednesday said officials were open “in principle” to the idea of reviewing data privacy laws to force the disclosure of data breaches.
In 2010 a public consultation exercise on privacy laws found half of respondents preferred voluntary notification. But Nip conceded times had changed and technological advancements required prompt transparency, although the government would need to consider the burden on small and medium-sized enterprises, he said.
Speaking at a separate meeting, Nip said the government hoped to put forward a proposed privacy law in the first half of next year.
Pro-democracy lawmaker Claudia Mo Man-ching slammed the company as “pathetic”. She said Cathay had failed to tell police, the regulator or the public.
“What ever happened to the people’s right to know?” Mo said.
Lam Cheuk-ting of the Democratic Party said Cathay had dodged the question of why it took so long.
However, the focus now, Lam said, should be on how to introduce a mandatory notification scheme for data breaches, and on tougher penalties to deter future offenders.
Cathay Pacific cyberattack far worse than thought
“The government has been using a fixed penalty system which is toothless against large multinational corporations,” he said. “In the EU, companies are punished by a proportion of their revenue.”
Slosar said it was “always a judgment call” whether to disclose. While the breach was a matter of great public interest, he said Cathay had taken the view the incident was “not material and not [share] price sensitive”.
It would be up to Cathay’s board regarding exactly who in the management team would be held accountable for the crisis, Hogg said.
Shares in Cathay were up 4.1 per cent in afternoon trading on Wednesday, at HK$11.10 (US$1.42). It was the highest level in two months as the price recovered from an initial fall following disclosure of the hacking.
The airline is one of the few major Asia-Pacific airlines that have lost money in recent years. The company shed HK$1.25 billion (US$160 million) last year following losses in 2016, on the back of high costs and competitors undercutting its ticket prices. It is in the midst of a three-year restructuring exercise.
