Cathay Pacific hit by worst ever airline data breach

26 Oct 2018

Cathay Pacific plane. Image: huythoai1978@gmail.com/Depositphotos

Cathay Pacific says that the personal data of up to 9.4m passengers has been accessed in a devastating security breach.

One of the largest airlines in the world, Cathay Pacific, yesterday (25 October) admitted that the personal information on up to 9.4m customers has been accessed by unauthorised actors. The unauthorised access was first suspected in March of this year and the data exposure was later confirmed in May.

What data was accessed?

A vast range of personal information was accessed, including passenger names, nationalities, dates of birth, email addresses, customer service remarks, historical travel data and physical addresses.

As well as these types of data, 860,000 passport numbers and 245,000 Hong Kong ID cards were accessed. About 403 expired credit card numbers were accessed and 27 active cards, but no CVV numbers were obtained.

The airline said that the combination of data leaked “varies for each” affected passenger. CEO Rupert Hogg said: “We are very sorry for any concern this data security event may cause our passengers.

“We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm and to further strengthen our IT security measures.”

Hogg added that the company is in the process of contacting those affected and will be providing them with steps they can take to protect themselves. He said: “We have no evidence that any personal data has been misused. No one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”

Police in Hong Kong have also been notified of the data breach and are themselves alerting the relevant authorities. Hogg said: “We want to reassure our passengers that we took and continue to take measures to enhance our IT security.

“The safety and security of our passengers remains our top priority.”

Cathay Pacific criticised

The breach is much larger than incidents reported by Delta and British Airways earlier in the year.

Authorities and some experts have criticised the airline for taking seven months to reveal the breach, adding that the company should have taken initiative on the first day the discovery was made. Cathay’s chief customer and commercial officer, Paul Loo, said the airline wanted to have accurate grasp on the situation and didn’t wish to “create unnecessary panic”.

Brian Vecci, technical evangelist at Varonis, said: “Months went by between when this attack was apparently noticed and when investigators figured out sensitive data might have been stolen, and then almost half a year passed before it was announced.

“That’s unacceptable and highlights just how far behind the eight ball most organisations are when it comes to threat-hunting and incident response.”

Stephen Burke, founder and CEO at Cyber Risk Aware, said:  “At this moment in time, we’re unaware of how the initial breach occurred. If this draws parallels to British Airways, where unpatched systems were publicly accessible and then exploited as a result, this then implies that, not only was data security not thought out properly, but the basics of maintaining and patching systems as well as monitoring the network to identify abnormal behaviour was not being carried out.

“The fact it took six months for the airline to flag this to its customers also shows a lack of incident response process.”

According to the South China Morning Postthe airline is facing a call from the Hong Kong IT industry to extend its free identity surveillance service from 12 months to several years in the wake of the incident.

Cathay Pacific plane. Image: huythoai1978@gmail.com/Depositphotos

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com