News
Cathay outlines complexity of industry’s worst cyber attack
November 16th 2018
Hong Kong’s Cathay Pacific Airways this week said it had taken the airline nine months to disclose a cyber attack in March because the attack “involved a number of complex systems that took significant time to analyse”. Read More »
“An enormous amount of work was involved in the investigation, which was highly technical. The process by which the stolen data could be identified, processed and linked to a specific passenger also contributed to the length of time involved between initial discovery and public disclosure,” Cathay said on Monday, ahead of a government hearing on Wednesday.
Hong Kong residents and lawmakers were outraged when it transpired that Cathay had deliberately withheld information about the attack. Hong Kong’s commissioner for personal data, Stephen Wong, has since launched an investigation into the Cathay data leak.
“There are reasonable grounds to believe there may be a contravention of a requirement under the law. The compliance investigation is going to examine in detail, amongst others, the security measures taken by Cathay Pacific to safeguard its customers’ personal data and the airline’s data retention policy and practice,” Wong told Reuters.
Hong Kong politicians and activists are calling on the government to change the law to make the immediate reporting of such incidents mandatory.
Cathay claims the airline has spent more than HK$1billion (US$128 million) on IT infrastructure and security over the past three years and that it will expand its team of security analysts. “We take our responsibilities with respect to our passengers’ personal data very seriously and we acknowledge that there are many lessons that we can and will learn from this event,” Cathay said Monday.
On October 25, Cathay said the airline had discovered a major IT security breach first identified in March. The carrier admitted the passenger data of up to 9.4 million passengers had been compromised, including names, addresses, several forms of personal identification and, in some rare cases, credit card information, albeit without the crucial CVV numbers. The event marked the hitherto worst cyber attack on the industry.
