BFF-24, 25 Questions mount over delay after Cathay Pacific admits huge data leak

238

ZCZC

BFF-24

HONGKONG-CATHAY-PACIFIC-DATA-PROTECTION

Questions mount over delay after Cathay Pacific admits huge data leak

HONG KONG, Oct 25, 2018 (BSS/AFP) – Hong Kong carrier Cathay Pacific came
under pressure Friday to explain why it had taken five months to admit it had
been hacked and compromised the data of 9.4 million customers, including
passport numbers and credit card details.

The airline said Wednesday it had discovered suspicious activity on its
network in March and confirmed unauthorised access to certain personal data
in early May.

However, chief customer and commercial officer Paul Loo said officials
wanted to have an accurate grasp on the situation before making an
announcement and did not wish to “create unnecessary panic”.

News of the leak sent shares in Cathay, which was already under pressure
as it struggles for customers, plunging more than six percent to a nine-year
low in Hong Kong trading.

And local politicians slammed the carrier, saying its response had only
fuelled worries.

“Whether the panic is necessary or not is not for them to decide, it is
for the victim to decide. This is not a good explanation at all to justify
the delay,” said IT sector lawmaker Charles Mok.

And Legislator Elizabeth Quat said the delay was “unacceptable” as it
meant customers missed five months of opportunities to take steps to
safeguard their personal data.

The airline admitted about 860,000 passport numbers, 245,000 Hong Kong
identity card numbers, 403 expired credit card numbers and 27 credit card
numbers with no card verification value (CVV) were accessed.

Other compromised passenger data included nationalities, dates of births,
phone numbers, emails, and physical addresses.

“We have no evidence that any personal data has been misused. No-one’s
travel or loyalty profile was accessed in full, and no passwords were
compromised,” chief executive Rupert Hogg said in a statement Wednesday.

– Probe launched –

But Mok said the public needs to know how the company can prove that was
the case.

MORE/MR/ 1040 hrs

ZCZC

BFF-25

HONGKONG-CATHAY-PACIFIC-DATA-PROTECTION-TWO-LAST

“Such a statement doesn’t give people absolute confidence that we are
completely safe, and it doesn’t mean that some of this data would not be
misused later,” Mok told AFP.

He also pointed out that the the European Union’s new General Data
Protection Regulation says any such breach should be reported within 72
hours.

Hong Kong’s privacy commissioner Stephen Wong expressed “serious concern”
over the breach in a statement Thursday and said the office would initiate a
compliance check with the airline.

“Organisations in general that amass and derive benefits from personal
data should ditch the mindset of conducting their operations to meet the
minimum regulatory requirements only,” Wong said.

“They should instead be held to a higher ethical standard that meets the
stakeholders’ expectations alongside the requirements of laws and
regulations,” he added.

Cathay said it had launched an investigation and alerted the police after
an ongoing IT operation revealed unauthorised access of systems containing
the passenger data.

The company is in the process of contacting affected passengers and
providing them with solutions to protect themselves.

The troubled airline is already battling to stem major losses as it comes
under pressure from lower-cost Chinese carriers and Middle East rivals.

It booked its first back-to-back annual loss in its seven-decade history
in March, and has previously pledged to cut 600 staff including a quarter of
its management as part of its biggest overhaul in years.

BSS/AFP/MR/ 1040 hrs