Airline Cathay Pacific has become the latest big-name brand to suffer a major data breach, after revealing that data on 9.4 million passengers may have been stolen.
The firm claimed on Wednesday that it discovered unauthorized access to the IT systems containing a wide range of sensitive personal information, both for its customers and those of its business unit Hong Kong Dragon Airlines.
The personal data affected is as follows: passenger name; nationality; date of birth; phone number; email; address; passport number; Hong Kong identity card number; frequent flyer programme membership number; customer service remarks and historic travel information.
However, only 403 expired credit card numbers and 27 credit card numbers with no CVV were exposed in the breach.
There’s no other info available on how the incident may have occurred, but the airline is playing down its seriousness by saying there’s no evidence of data being misused at this point.
“We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures,” said CEO, Rupert Hogg.
“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”
However, reports suggest the firm discovered suspicious activity in March 2018, and confirmed data had been accessed in May, which means it failed to inform customers for over five months.
Given the timelines, the incident is unlikely to fall under the GDPR even if, as seems likely, EU citizens’ data was compromised.
Back in April, the Hong Kong privacy commissioner explained that businesses in the Chinese SAR should “should prepare” for the legislation.
Commissioner Stephen Kai-yi Wong today expressed “serious concern” over the incident.
“Organizations in general that amass and derive benefits from personal data should ditch the mindset of conducting their operations to meet the minimum regulatory requirements only,” he said in a statement.
“They should instead be held to a higher ethical standard that meets the stakeholders’ expectations alongside the requirements of laws and regulations. Data ethics can therefore bridge the gap between legal requirements and the stakeholders’ expectations.”
Steve Malone, director of security product management at Mimecast, warned of follow-on attacks.
"Once personal information is compromised, cyber-criminals can implement highly targeted spear phishing and social engineering attacks, often via impersonation emails against friends or business contacts. These impersonation attacks are now the easiest way for criminals to steal money and valuable data,” he said.
“Notified customers should change passwords as a precaution and alert their employer’s IT security teams to help look out for attacks misusing their personal information.”
Randy Abrams, senior security analyst at Webroot, argued that airlines are increasingly in the cross-hairs of attackers.
“In recent months, Air Canada and British Airways have suffered breaches. However, the Cathay Pacific breach disclosed a feature-rich set of data, including more than 40-times more passports than the Air Canada breach, meaning it will have a much greater impact on passengers,” he added.
“In addition to potential monetary theft, having a high number of passports compromised with passenger history and information should be of significant concern to governments across the world as they try to secure their borders.”