Hong Kong-based airline Cathay Pacific has announced a major data breach affecting up to 9.4 million of its customers. The breach also affects Cathay’s regional airline, Cathay Dragon.
What data has been compromised?
The breach exposed a broad selection of data, including:
- dates of birth
- phone numbers
- passport numbers
- identity card numbers
- frequent flyer programme membership numbers
- customer service remarks, and
- historical travel information.
Rupert Hogg, CEO of Cathay Pacific, confirmed that there is “no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised”.
Containing the breach
Hogg said that the airline launched an investigation and notified the police after an IT operation in March revealed unauthorised access to systems containing passenger data. Cathay took action by involving the relevant authorities, bringing in external expertise from a cyber security company and strengthening its IT security measures.
In addition, Cathay has now communicated with customers and set up helplines for concerned individuals to get support. It has also issued guidance to help customers protect themselves, including a recommendation to change passwords and watch accounts for suspicious activity.
However, the situation is unusual in the amount of time taken to report the breach to the public: the compromise was identified in March and confirmed in May, but only publicly disclosed in October. Affected European customers should have been informed “without undue delay” under the EU’s GDPR (General Data Protection Regulation) – despite the airline being based in Hong Kong – especially given the nature of the data leaked.
The airline has said it is “very sorry” for any concerns passengers may have in light of this breach. However, it remains to be seen whether there will be any repercussions for the organisation. The fact that there was such a delay in making the breach public may increase the risk of penalties and reputational damage.
British Airways, Heathrow Airport, Bristol Airport and Air Canada have all suffered data breaches in recent months. It seems as though these high-profile and data-rich organisations are destined to be targeted or even compromised by cyber criminals.
No organisation that handles personal data can afford to be complacent, and IT Governance urges everyone to understand the risks and be prepared for them to materialise. To help with this, take our quiz to assess your breach readiness and highlight areas for improvement.