Cathay Pacific passengers ‘don’t feel secure’ after massive data leak hits Hong Kong-based airline
- Emails sent to affected passengers, urging them to update their password
- Lawyers say seeking damages is difficult without suffering actual loss
Cathay Pacific Airways fliers were on Thursday still reeling from the shock of the airline’s massive data leak revealed the night before, but lawyers said it would be hard for the affected passengers to seek damages unless they suffer actual monetary loss.
The Hong Kong-based carrier revealed late on Wednesday night that 9.4 million customers’ personal details including names, nationalities, dates of birth and identification numbers were illegally accessed in March.
The airline is in the process of alerting affected passengers, offering them “ID monitoring services” by a third-party provider.
The victims included Hong Kong resident Marcus Langston. Cathay Pacific on Thursday night alerted Langston via email that his personal data including travel documents and date of birth were involved in the leak.
He said he immediately went online to reference the leak of 380,000 British Airways passengers’ data in August and September to get an idea how his situation might play out.
“After I googled the British Airways case, my main concern was the data being used on the ‘dark web’ as fake identification,” Langston said, referring to media reports that the leaked data was up for sale on the dark web or a crime-linked deep layer of the internet.
As Langston noted that British Airways could face a class-action lawsuit to compensate affected customers, he said Cathay should do more than provide an email urging him to update his password.
Other fliers were awaiting notification about whether their personal information had been compromised in the breach. Some wondered why it took seven months for Cathay to come forward.
Simone Chen said she was concerned about what precautions the company would put in place in future. She added she would be watchful “if there is a financial loss” and “how they offer to compensate it”.
Another flier, Ada Lam, said she was not expecting compensation beyond vouchers if her personal data had been leaked. Lam described the news as the latest in a long line of frustrations that she and other Hongkongers had encountered with the airline.
“They lost money in fuel hedges, but it doesn’t mean they have to cut costs for basic services and frontline staff,” she said. “Passengers get affected.”
Lam has not contacted Cathay to ask about her data, but said the situation left her feeling worse.
“I don’t feel secure,” she explained. “Now I never know who will have my personal data on hand.”
An angry passenger, identified by the user name smileymiley, left a comment on the Post’s website, claiming “in the past six months I have had to cancel credit cards which were registered with Cathay showing unauthorised transactions of US$4,000 from airlines”. He could not be reached for comment.
Under Hong Kong’s privacy law, there is no mandatory time limit for notifying a regulator or affected person of a data breach, lawyer Dominic Wai Siu-chung said, adding that affected passengers face an uphill battle holding the airline accountable.
“Although they could file a complaint with the privacy watchdog, they can't really sue unless they can prove they suffer actual loss, monetary or not,” Wai noted.
Mark Ross-Smith, an airline loyalty data expert who formerly oversaw Malaysia Airline’s business in that area, said depending on how much data was taken, hackers could potentially access and change flights, access a passenger’s lucrative frequent flyer accounts – through brute force or phishing attacks – to potentially steal and spend the air miles on free flights and hotels.
Passengers could be susceptible to a sophisticated phishing attack to make the user think the airline was sending a genuine email.
“It's a scary situation for passengers as there is a big unknown on where their data has gone, who will have access to it, and how it may affect them in the future,” Ross-Smith said.
“Personally I wouldn't trust an email from Cathay at all if I was an affected user. Who knows where the data will go or be sold to on the dark web?”
Additional reporting by Danny Lee