News
Cathay Pacific IT restructuring not at fault in data breach
June 14th 2019
Watchdog’s report is some relief to Paul Loo, who oversaw IT transformation. Read More »
Hong Kong’s privacy commissioner widely faulted Cathay Pacific for “lax” data security that resulted in approximately 10 million passengers having their data accessed last year in aviation’s largest known data breach.
But of some relief was the watchdog not blaming Cathay’s IT department restructuring, overseen by executive Paul Loo, who is a contender to be the next chief executive.
“There is no sufficient evidence to suggest that the Incident could be attributed to Cathay’s restructuring of its IT Department,” the watchdog said in a report released last Thursday, before the start of a long weekend in the city.
The public and government criticised Cathay for taking seven months to publicly announce the data breach. Hong Kong has no statutory reporting requirements, so the watchdog did not find any legal violations but said Cathay would have been expected to report earlier, and there could be changes to future law.
Cathay was found to have violated lesser charges, including keeping Hong Kong identity cards in its system for 13 years after the information was used for verification. Cathay has been served an enforcement notice.
Cathay said it is still unaware of any data being misused. This contrasts to a smaller data breach at British Airways where information was listed on the dark web.
