With nearly 9.4 million accounts compromised, the recent breach of the Cathay Pacific is possibly one of the largest cyber-attacks of 2018. No major revelations have been made about the attackers. Fortunately, the affected IT systems were separate from its flight operations systems, and haven’t affected the flight safety.
The airline is now facing its first collective legal action in Hong Kong, “where nearly 200 customers have expressed their intentions to claim over the leak,” suggest a report. Even the local government has warned the airline to cooperate with the city’s privacy regulators else face repercussions. The incident has been dubbed as the largest data leak in Hong Kong. “The revelation came months after the breach was discovered in March and confirmed in early May,” suggests the report.
“If Cathay Pacific is not cooperative, the [privacy] commissioner is entitled to take legal action under the ordinance, which carries penalties,” Cheung, a spokesperson on behalf of Chief Executive Carrie Lam Cheng Yuet-ngor said. “[Cathay] has to obey the instructions and fully cooperate with our investigation.”
The leaked personal data includes names, birth dates, phone numbers, email addresses, physical addresses, passport numbers, identity card numbers, flyer program membership numbers, customer service remarks, and history of travel. Apart from these, 403 expired credit card numbers were accessed, and twenty-seven credit card numbers with no CVV were accessed.
“We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures,” Cathay Pacific Chief Executive Officer Rupert Hogg said. “We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”