Cathay Pacific hit by data leak affecting up to 9.4m passengers
Cathay Pacific, Hong Kong’s flag carrier, has suffered a massive data leak after someone gained “unauthorised access” to the information of up to 9.4m passengers, including passport numbers, contact details and travel histories.
Cyber security experts were quick to ask why the airline, which detected the hack in March, had taken seven months to make it public.
“We are very sorry for any concern this data security event may cause our passengers,” said Rupert Hogg, the airline’s chief executive. “We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cyber security firm and to further strengthen our IT security measures.”
Cathay Pacific said it engaged consultants from Mandiant, part of FireEye, to conduct a forensic investigation into the breach.
The airline said it first detected “suspicious activity” on its IT systems in March and confirmed the “unauthorised access” to certain personal information in early May. It added that it had “no evidence that any personal information has been misused” and was in the process of contacting affected customers, having already informed the Hong Kong police.
Jerry Allen, managing director of Return on Development, a crisis management consultancy focusing on aviation, said it was “not reasonable at all” for Cathay Pacific to have known about the hack for seven months and not notified customers: “If we give our data and credit card details in good faith to make a booking, if there’s a hint that data has been compromised, we deserve to know.”
In the EU, companies that detect a data breach must notify their national authority within 72 hours or face aggravated regulatory consequences.
When asked why Cathay took so long to notify people, the airline said: “We believe it is important to have accurate information to share, so that people know the facts and we can support them accordingly.”
Cathay said the combination of data accessed varied by passenger but included passenger name, nationality, date of birth, contact details, passport number, identity card number, frequent flyer programme membership number and historical travel information.
It added that no passwords and only a small number of credit cards were compromised, all without the CVV code that makes fraudulent use easier. The airline declined to say who was behind the attack or what their motivation was, noting: “We are focused on assisting affected customers.”
Mr Allen said that a passport number on its own was not of great use to hackers, but in combination with other data — such as a person’s name or the country which issued it — could help hackers steal someone’s identity.
Lukasz Olejnik, independent cyber security and privacy researcher and adviser, said it was unclear how Cathay knew that information had not been misused. “Most likely this means that the company is — until today — unaware of misuse,” he said. “It is not really clear how this negative conclusion has been reached, and if and how the company actively sought information regarding the possible misuse.”
This is the latest in a series of aviation-sector hacks. In September, British Airways disclosed that hackers had stolen data relating to about 380,000 customers from its website and mobile app during a two-week period beginning on August 21, at the height of the summer holiday season. Cyber security experts said the BA hack was one of the most serious ever because CVV codes were taken.
Cathay Pacific, which is 30 per cent owned by state-owned company Air China and 45 per cent by the Swire conglomerate, has been struggling under the weight of competition from state-backed rivals in mainland China and the Gulf.
In August, the airline reported an unexpected loss for the first six months of the year as fuel costs mounted, It disclosed a net loss of HK$263m (US$33.5m) in the six months to June.