Cathay Pacific Says 9.4 Million Affected by Data BreachAirline's Five-Month Delay Before Public Disclosure Raises Concern
See the latest update on this developing story.
Hong Kong-based airline Cathay Pacific says the personal details of 9.4 million passengers were inappropriately accessed in March, a breach that was confirmed by the company in early May but only publicly revealed on Wednesday.
That delay is already prompting concern and criticism because the prevalence of data breaches has made the public more attuned to the possible impacts, such as identity theft and fraud.
The data accessed includes names, nationalities, birth dates, phone numbers, email addresses, physical addresses, passport numbers, identity card numbers, frequent flyer program membership numbers, customer service remarks and historical travel information, according the airline's advisory. The company also notified HKEX, Hong Kong's stock exchange.
Not all of that data was necessarily exposed for the affected passengers, Cathay Pacific says. So far, the company says it does not believe the data has been misused. The IT systems affected are not connected to the airline's flight operations, it says.
Cathay Pacific's notification to the stock exchange notes that 860,000 passport numbers were affected along with 245,000 Hong Kong identity card numbers.
The airline says 27 valid credit cards were affected, but those cards do not have the three-digit CVV, or card verification value, the airline says. Also, the details for 403 expired cards were accessed.
The airline says no passwords were compromised, and no passenger travel or loyalty profiles were "accessed in full." Those affected will be contacted with information on what types of personal data was exposed, Cathay Pacific says.
The disclosure delay raises immediate questions about whether the airline might have fallen afoul of increasingly strict data protection regulations worldwide, some of which require notifying regulators of breaches.
Hong Kong does not have a law requiring mandatory notification of data breaches to its Privacy Commissioner for Personal Data. But the regulator does encourage the practice, and it does have a form on its website for organizations to report a breach.
"While it is not a statutory requirement on data users to inform the PCPD about a data breach incident concerning the personal data held by them, data users are nevertheless advised to do so as a recommended practice for proper handling of such incident," according to the agency's website.
Europe's General Data Protection Regulation, which went into effect on May 25, requires the reporting of data breaches within 72 hours. Regulators can levy noncompliance penalties of 20 million euro (US$21 million) or up to 4 percent of a company's global revenue, whichever is greater (see: Europe Catches GDPR Breach Notification Fever).
Cathay Pacific says in its statement that it confirmed the breach in "early May." That means even if EU passengers are affected, it may have just avoided needing to report the breach.
"How many of the affected customers booked their tickets from EU locations?," writes Tim De Sousa, a privacy specialist and principal with the privacy and security consultancy ElevenM, on Twitter. "Cathay is fortunate that this event occurred prior to the GDPR coming into force in May, or EU privacy regulators would be causing their compliance team conniptions right now."
How many of the affected customers booked their tickets from EU locations? Cathay are fortunate that this event occurred prior to the GDPR coming into force in May, or EU privacy regulators would be causing their compliance team conniptions right now.— Tim de Sousa (@TimdeSousa) October 25, 2018
But given the international nature of air travel, Cathay Pacific's breach could fall under reporting requirements in other jurisdictions.
For example, Australia's mandatory breach notification law went into effect in February. The law requires some types of organizations to report a reach within 30 days. It applies to companies with more than $3 million in annual turnover and government agencies (see Australia Enacts Mandatory Breach Notification Law).
The Australian law doesn't define what type of breaches should be reported but says those that a "reasonable person" could conclude could cause "serious harm." Regulators can levy fines up to AU$420,000 (US$297,000) for individuals and $2.1 million for organizations for failing to report a breach.
Cathay Pacific is offering free identity theft protection services through credit bureau Experian for those affected. "This service monitors if your personal data may be available on public websites, chat rooms, blogs, and non-public places on the internet where data can be compromised such as dark web sites," the airline says.
Airline Breach Troubles
Cathay Pacific is the second airline to be hit with a significant data security incident in as many months.
In earlier September, British Airways said as many as 380,000 payment cards were compromised along with personal data between Aug. 15 and Sept. 5. That incident affected anyone who bought or changed a ticket using the website or mobile app.
The airline fell victim to an attack that placed a malicious script on its website that collected payment card details. The attack was believed to be linked to a criminal group dubbed Magecart, which has also struck Ticketmaster (see RiskIQ: British Airways Breach Ties to Cybercrime Group).