Cathay Pacific Airways has been criticized for failing to disclose a breach involving the personal data of up to 9.4 million customers until months after it was found.
The Hong Kong company, which operates internationally, admitted on Wednesday that it had found "suspicious activity" on its network in March 2018. Two months later, it confirmed that a slew of personal information—which included passport details—had been accessed.
The news the airline had waited five months to inform the public about the cyber incident was condemned by industry experts, who accused the firm of trying to cover-up the breach.
In a press release on Wednesday, Cathay Pacific claimed that it had taken "immediate action to investigate and contain the event." A more detailed report about the breach, also published online, admitted that airline officials had been aware of the unauthorized access for months.
And the scope of the passenger data breach appeared to be vast.
Cathay Pacific said that data lost included names, nationalities, dates of birth, phone numbers, email addresses, home addresses, passport numbers, ID numbers, frequent flyer programme membership numbers, customer service remarks and also historical travel information.
We have discovered unauthorised access to some of our passenger data. For Data Security Event support, please DM @cxinfosec for assistance.
— Cathay Pacific (@cathaypacific) October 24, 2018
It continued, noting that approximately 860,000 passport numbers and approximately 245,000 Hong Kong identity card numbers were also accessed. It said 403 expired card numbers and 27 credit card numbers with no CVV had been accessed. But it claimed there was "no evidence" that data had been misused. That is a standard line often used in breach notifications.
Cathay Pacific Airways said the affected network had been "separate from the company's flight operations systems." It still remains unclear exactly how the systems were breached.
Cathay Pacific's chief executive officer, Rupert Hogg, said the company was now contacting affected passengers. He said no customer passwords had been compromised. The airline has set up a dedicated call center and website for anyone impacted by the data breach.
"Credit is due to Cathay Pacific for setting up a dedicated website and call centre for potentially impacted customers. But this doesn't excuse the fact that this breach was first detected in March and has only now been disclosed," said Etienne Greeff, the chief technology officer (CTO) and co-founder of SecureData, a London-based cybersecurity company.
"Unfortunately, we're likely to see organizations continue this behavior—attempting to cover up significant incidents—as they regard customer data as their own, without any kind of acknowledgement on the impact it could have on their own customers," Greeff added.
Cathay Pacific Airways said that since May, when the breach was confirmed, "analysis of the data [had] continued in order to identify affected individuals and to determine whether the data at issue could be reconstructed." It did not explain why it had waited to reveal the breach.
The Cathay Pacific hack comes in the wake of a cybersecurity incident at British Airways. In September, the airline confirmed that customers' financial details had been stolen.
"The aviation industry is having quite the time of it at the moment," said Ed Macnair, CEO of cyber firm CensorNet. "What is concerning with [the Cathay Pacific] breach is that the issue was identified in March and confirmed in May, and yet Cathay Pacific is only now making it public.
"The airline should have immediately informed those affected, allowing them to act quickly. While it might seem disparate, hackers can use a combination of stolen data to build up a picture of someone, which can lead to identity theft and other serious problems."
Shares in Cathay Pacific fell by 7 percent and reached a nine-year-low following announcement of the breach, Channel NewsAsia reported.
"In today's environment, where data breaches are a common occurrence, how companies react is absolutely critical," Macnair added, detailing the consequences of not being transparent. "Protecting data is critical. Communicating anything that happens is of equal importance."
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
About the writer
Jason Murdock is a staff reporter for Newsweek.
Based in London, Murdock previously covered cybersecurity for the International Business Times UK ... Read more
To read how Newsweek uses AI as a newsroom tool, Click here.
