Cathay Pacific under fire over breach affecting 9.4 million passengers

Hong Kong-based airline reveals massive data breach of the most sensitive personal data of passengers five months after loss was confirmed

Hong Kong-based airline reveals massive data breach of the most sensitive personal data of passengers five months after loss was confirmed

Cathay Pacific is coming under fire for taking months to report a breach of the most sensitive data affecting 9.4 million passengers, including some from its Hong Kong Dragon Airlines division.

Suspicious activity on the airline’s IT systems was discovered in March 2018 and the “unauthorised access” of personal data was confirmed in May, but Cathay Pacific has kept quiet about it until now.

Brian Vecci, technical evangelist at Varonis, said that as insiders and external actors get more sophisticated, organisations must be able to do a better job of detecting suspicious activity quickly and reducing the time it takes to investigate an incident.

Months went by between when this attack was apparently noticed and when investigators figured out sensitive data might have been stolen, and then almost half a year passed before it was announced, That is unacceptable and highlights just how far behind the eight ball most organisations are when it comes to threat hunting and incident response.

The data breach includes 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) that were accessed, although the airline claims no passwords were compromised.

Breached data also includes passenger names, nationalities, dates of birth, telephone numbers, email and physical addresses, passport numbers, identity card numbers and historical travel information – all extremely valuable to cyber criminals for identity theft, phishing and fraud.

The chief executive Ruper Hogg explained how very sorry the company are for any concern this data security event may cause our passengers.

The company acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cyber security firm and to further strengthen our IT security measures.

It is not known whether any EU nationals are among the passengers affected, but the airline could face a stiff fine under the EU’s General Data Protection Regulation (GDPR), which has been in full force since May and requires notification of personal data breaches within 72 hours.

However, in April, the privacy commissioner for personal data in Hong Kong, Stephen Kai-yi Wong, made it clear that Hong Kong-based businesses like Cathay must comply with the GDPR.

Stephen felt that as the EU is Hong Kong’s second-largest trading partner, the new GDPR’s extra-territorial effect suggests that as long as Hong Kong businesses collect and process personal data of EU individuals, they should be prepared to comply with the GDPR’s requirements.

Steve Malone, director of security product management at Mimecast, said it is likely that EU citizens were included in a breach of this size and GDPR questions will be asked.

Malone went on to say that once personal information is compromised, cyber criminals can implement highly targeted spear phishing and social engineering attacks, often via impersonation emails against friends or business contacts. These impersonation attacks are now the easiest way for criminals to steal money and valuable data.

Cyber security commentators said the airline industry is a rich source of personal data for cyber criminals and should ensure that extra care is taken in keeping that data safe.

Although several airlines have been targeted in recent months, including British Airways, Delta Airlines and Air Canada, the Cathay Pacific breach stands out because of the number of passengers affected and the combination of extremely sensitive data involved.

Ted McKendall, CTO of Trusted, said the breach makes BA’s breach in September of data belonging to 380,000 passengers look “trivial” by comparison.

What is staggering here is the sheer volume of passengers involved, the nature of the data that has been accessed, and how long it took the airline to alert customers.

There are no details of how the breach was executed yet, but Kendall felt that he can only assume that the extreme delay between identifying the breach and notifying customers is because the airline was trying to patch its systems first.

Although Cathay Pacific has been quick to assure customers that only a small amount of financial information has been leaked, McKendall said the data that has been leaked is more than unsettling.

McKendall stated that the passport information of passengers on the dark web will have an extremely high price tag. Much of this information – names, dates of birth, email and physical addresses – could be used to conduct further attacks against passengers’ other accounts, as these details are often enough to bypass security.

However, sadly that is not the worst of it. All those seriously affected will have to be on the lookout for identity fraud, and this shows just how serious cyber crime has become. Cathay Pacific inherently trust a multitude of companies with their details, but they cannot get them back once they are taken.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

 

Cyber security criminals outspend businesses in security battles

Cyber security criminals are spending 10 times more money finding weaknesses in the cyber defences of organisations than the organisations they target are spending on protecting against attack.

Cyber security criminals are spending 10 times more money finding weaknesses in the cyber defences of organisations than the organisations they target are spending on protecting against attack.

Research from Carbon Black carried out in August also asked 250 UK-based CIOs, CTOs and CISOs about the attacks they faced over the past 12 months.

In total, 92% of UK businesses have had cyber security breaches in the past year and nearly half off those reported falling victim to multiple breaches (three to five times in the past year).

A total of 82% of respondents said they have experienced more attacks this year than last year. In the financial services sector, 89% said this is the case, while 83% of government organisations and 84% of retailers had also experienced an increase in the number of attacks.

Malware was the most common attack on the UK organisations surveyed, with about 28% experiencing at least one such attempted breach. Ransomware was the next most common, with 17.4% reporting at least one attack.

“Following a global trend, cyber attacks in the UK are becoming more frequent and more sophisticated, as nation state actors and crime syndicates continue to leverage fileless attacks, lateral movement, island hopping and counter incident response in an effort to remain undetected,” said the report. “This issue is compounded by resources and budgeting. Not only is there a major talent deficit in cyber security, there is also a major spending delta.”

The report found that IT leaders believe Russia and China to be the source of the vast majority of cyber attacks, but it identified North America as the starting point for more attacks than Iran and North Korea combined.

If you want to save yourself stress, money and a damaged reputation from a cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139