Logo of Phnom Penh Post newspaper Phnom Penh Post - Questions mount over Cathay Pacific data breach admission

Questions mount over Cathay Pacific data breach admission

Content image - Phnom Penh Post
Cathay Pacific employees work at their counters at the international airport in Hong Kong. ANTHONY WALLACE/AFP

Questions mount over Cathay Pacific data breach admission

Hong Kong carrier Cathay Pacific came under pressure on Thursday to explain why it had taken five months to admit it had been hacked and compromised the data of 9.4 million customers, including passport numbers and credit card details.

The airline said on Wednesday it had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May.

However, chief customer and commercial officer Paul Loo said officials wanted to have an accurate grasp on the situation before making an announcement and did not wish to “create unnecessary panic”.

News of the leak sent shares in Cathay, which was already under pressure as it struggles for customers, plunging more than six per cent to a nine-year low in Hong Kong trading.

Local politicians slammed the carrier, saying its response had only fuelled worries.

“Whether the panic is necessary or not is not for them to decide, it is for the victim to decide. This is not a good explanation at all to justify the delay,” said IT sector lawmaker Charles Mok.

And legislator Elizabeth Quat said the delay was “unacceptable” as it meant customers missed five months of opportunities to take steps to safeguard their personal data.

Probe launched

The airline admitted about 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed.

Other compromised passenger data included nationalities, dates of births, phone numbers, emails, and physical addresses.

“We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised,” chief executive Rupert Hogg said in a statement on Wednesday.

But Mok said the public needs to know how the company can prove that was the case.

“Such a statement doesn’t give people absolute confidence that we are completely safe, and it doesn’t mean that some of this data would not be misused later,” Mok said.

He also pointed out that the EU’s new General Data Protection Regulation says any such breach should be reported within 72 hours.

Hong Kong’s privacy commissioner Stephen Wong expressed “serious concern” over the breach in a statement on Thursday and said the office would initiate a compliance check with the airline.

“Organisations in general that amass and derive benefits from personal data should ditch the mindset of conducting their operations to meet the minimum regulatory requirements only,” Wong said.

“They should instead be held to a higher ethical standard that meets the stakeholders’ expectations alongside the requirements of laws and regulations,” he added.

Cathay said it had launched an investigation and alerted the police after an ongoing IT operation revealed unauthorised access of systems containing the passenger data.

The company is in the process of contacting affected passengers and providing them with solutions to protect themselves.

Struggling business

Cathay Pacific is already battling to stem major losses as it comes under pressure from lower-cost Chinese carriers and Middle East rivals.

It booked its first back-to-back annual loss in its seven-decade history in March, and has previously pledged to cut 600 staff including a quarter of its management as part of its biggest overhaul in years.

The troubled airline did not mention financial compensation for passengers affected by the data leak, but British Airways pledged to compensate customers when the UK flag carrier suffered a data hack last month.

BA revealed in September that personal and financial details of about 380,000 customers over several weeks had been stolen.

The leak is the latest to hit global companies in recent years.

Facebook revealed last month that up to 50 million accounts were breached by hackers, while ride-sharing giant Uber was vilified after a breach in 2016 of data on 57 million of its users was revealed only in November last year.

In April, the holding company of Yahoo was fined $35 million by US regulators because it had not informed them until this year that hackers had stolen “crown jewel” data.

And in US credit bureau Equifax identified almost 150 million American consumers’ personal details had been exposed by a massive data breach that had sparked a public outcry.

MOST VIEWED

  • NagaWorld casinos set to reopen, schools to follow

    NAGACORP Ltd has requested that it be allowed to reopen its NagaWorld integrated resorts in Phnom Penh after the government recently approved casinos to operate again, provided they follow Covid-19 prevention measures set by the Ministry of Health. Mey Vann, the director-general of the Ministry

  • Rubber exports stretch 17%

    Cambodia exported 97,175 tonnes of natural rubber in the first five months of this year, surging 17 per cent compared to the same period last year as the Covid-19 pandemic stretches on, Ministry of Agriculture, Forestry and Fisheries official Khuong Phalla told The Post on Thursday. Phalla,

  • ASEM supports Kingdom’s proposal to postpone meeting amid Covid

    The 13th Asia-Europe Meeting (ASEM13) scheduled to be held in Cambodia in November has been postponed until mid-2021 due to the Covid-19 pandemic, a Ministry of Foreign Affairs and International Cooperation press statement released on Saturday said. The decision was made during a two-day meeting

  • Coffee maker roasted for producing fake product

    The Ministry of Interior’s Counter Counterfeit Committee will send a suspect to court on Monday after she allegedly roasted coffee mixed with soybeans and other ingredients, creating a product which could pose a high risk to consumers’ health. On the afternoon of July 2, the

  • Cash handout programme 80% complete

    Minister of Social Affairs, Veterans and Youth Rehabilitation Vong Soth confirmed on Thursday that the implementation of the Cash Transfer Programme For Poor and Vulnerable Households During Covid-19 had been implemented for more than 80% of the over 560,000 families. The programme was introduced one week ago.

  • Cambodia armed with money laundering laws

    Money laundering will now carry a penalty of up to five years in prison while those convicted of financing terrorists will be jailed for up to 20 years, according to new laws promulgated by King Norodom Sihamoni and seen by The Post on Thursday. Comprising nine

  • Where is Cambodia’s exit strategy that can save the economy?

    With the prospect of being slammed by a double whammy, the government is working on an economic recovery plan to deliver it from Covid-19 and the EU’s partial withdrawal of the Everything But Arms scheme in the next two to three years Cambodia is

  • Schools to be reopened in ‘three stages’

    With guidance from Prime Minister Hun Sen, the Ministry of Education, Youth and Sport, is in the process of reopening schools in three stages. But no timeline has been set, ministry spokesperson Ros Soveacha said on Thursday. Soveacha said the first stage will be to

  • Thai border crossings eased

    The Cambodian Embassy in Thailand said in an announcement on Wednesday that Thailand’s government has allowed certain passengers from several countries to enter its borders. The visitors must go back to their country immediately after their duties in Thailand are fulfilled, the embassy said.

  • Gov’t says tourism recovers slightly despite pandemic

    The Ministry of Tourism and the Phnom Penh municipal administration have recognised 33 tourism businesses in the capital which have consistently implemented safety measures for tourists and adhered to the code of conduct issued by the ministry. Recently, the ministry announced that tourism businesses had to