Hong Kong-based airline reveals massive data breach of the most sensitive personal data of passengers five months after loss was confirmed
Cathay Pacific is coming under fire for taking months to report a breach of the most sensitive data affecting 9.4 million passengers, including some from its Hong Kong Dragon Airlines division.
Suspicious activity on the airline’s IT systems was discovered in March 2018 and the “unauthorised access” of personal data was confirmed in May, but Cathay Pacific has kept quiet about it until now.
Brian Vecci, technical evangelist at Varonis, said that as insiders and external actors get more sophisticated, organisations must be able to do a better job of detecting suspicious activity quickly and reducing the time it takes to investigate an incident.
Months went by between when this attack was apparently noticed and when investigators figured out sensitive data might have been stolen, and then almost half a year passed before it was announced, That is unacceptable and highlights just how far behind the eight ball most organisations are when it comes to threat hunting and incident response.
The data breach includes 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) that were accessed, although the airline claims no passwords were compromised.
Breached data also includes passenger names, nationalities, dates of birth, telephone numbers, email and physical addresses, passport numbers, identity card numbers and historical travel information – all extremely valuable to cyber criminals for identity theft, phishing and fraud.
The chief executive Ruper Hogg explained how very sorry the company are for any concern this data security event may cause our passengers.
The company acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cyber security firm and to further strengthen our IT security measures.
It is not known whether any EU nationals are among the passengers affected, but the airline could face a stiff fine under the EU’s General Data Protection Regulation (GDPR), which has been in full force since May and requires notification of personal data breaches within 72 hours.
However, in April, the privacy commissioner for personal data in Hong Kong, Stephen Kai-yi Wong, made it clear that Hong Kong-based businesses like Cathay must comply with the GDPR.
Stephen felt that as the EU is Hong Kong’s second-largest trading partner, the new GDPR’s extra-territorial effect suggests that as long as Hong Kong businesses collect and process personal data of EU individuals, they should be prepared to comply with the GDPR’s requirements.
Steve Malone, director of security product management at Mimecast, said it is likely that EU citizens were included in a breach of this size and GDPR questions will be asked.
Malone went on to say that once personal information is compromised, cyber criminals can implement highly targeted spear phishing and social engineering attacks, often via impersonation emails against friends or business contacts. These impersonation attacks are now the easiest way for criminals to steal money and valuable data.
Cyber security commentators said the airline industry is a rich source of personal data for cyber criminals and should ensure that extra care is taken in keeping that data safe.
Although several airlines have been targeted in recent months, including British Airways, Delta Airlines and Air Canada, the Cathay Pacific breach stands out because of the number of passengers affected and the combination of extremely sensitive data involved.
Ted McKendall, CTO of Trusted, said the breach makes BA’s breach in September of data belonging to 380,000 passengers look “trivial” by comparison.
What is staggering here is the sheer volume of passengers involved, the nature of the data that has been accessed, and how long it took the airline to alert customers.
There are no details of how the breach was executed yet, but Kendall felt that he can only assume that the extreme delay between identifying the breach and notifying customers is because the airline was trying to patch its systems first.
Although Cathay Pacific has been quick to assure customers that only a small amount of financial information has been leaked, McKendall said the data that has been leaked is more than unsettling.
McKendall stated that the passport information of passengers on the dark web will have an extremely high price tag. Much of this information – names, dates of birth, email and physical addresses – could be used to conduct further attacks against passengers’ other accounts, as these details are often enough to bypass security.
However, sadly that is not the worst of it. All those seriously affected will have to be on the lookout for identity fraud, and this shows just how serious cyber crime has become. Cathay Pacific inherently trust a multitude of companies with their details, but they cannot get them back once they are taken.
If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email [email protected] or complete the form on our contact page NOW