Most people in the world would describe it as a company "admitting they've been hacked." But if you're the breached company and want to apply the maximum amount of PR spin, you might instead issue a release saying you're "announcing a data security event affecting customer data."
Read beyond the headline, however, and you'll discover that the Hong Kong-based airline has admitted that hackers gained unauthorized access to its internal systems and accessed the passenger data of up to 9.4 million people. With Hong Kong's population being approximately 7.4 million people, it's clear that this is a data breach that impacts travelers around the world. The personal data accessed by the hackers includes passenger names, nationalities, dates of birth, phone numbers, email addresses, addresses, passport numbers, identity card numbers, frequent flier membership numbers, customer service remarks and historical travel information. In addition, 403 expired credit card numbers were accessed by the hackers as well as 27 credit card numbers without CVV information. It's obviously good that more financial information wasn't taken by the hackers, but in many ways, it's a red herring. After all, it's relatively simple to freeze a credit card and apply for a new one. It's a lot more difficult and time-consuming to apply for a new passport or Hong Kong identity card. In isolation, personal information such as that described above may not be enough for a criminal to commit - say - identity theft, but combined with other pieces of personal data, it can help a fraudster complete the jigsaw. Although Cathay Pacific has only just announced that it has suffered a hack, that doesn't mean that the company has only just discovered it has a problem. The airline says that it first detected "suspicious activity" on its network in March and confirmed that there had been unauthorized access to personal information in early May. Cathay Pacific CEO Rupert Hogg apologized for any concern raised by the "data security event":
We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures. We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.
In the statement, Cathay Pacific attempts to reassure people that it has seen no evidence of the data being criminally exploited, but frankly, such a statement isn't worth much. An absence of evidence is not evidence of absence - if some of the stolen data has been misused by fraudsters and spammers, it wouldn't necessarily have been linked back to this breach. Put simply, it's perfectly possible that Cathay Pacific has no visibility on data being misused by online criminals. There will also be inevitable criticism that although it took "immediate action" to contain the security incident, Cathay Pacific chose not to inform the public in a prompt fashion. The airline's share price nosedived as Cathay Pacific came under fire as to why it had taken months to admit it had been hacked. Under European GDPR legislation, breaches should be reported within 72 hours. Cathay Pacific would be wrong to assume that EU legislation has no bearing on its business simply because it is based in Hong Kong. GDPR is relevant to companies anywhere in the world if EU-based customers are put at risk. In an attempt to explain its delayed announcement, Cathay Pacific said "We believe it is important to have accurate information to share, so that people know the facts and we can support them accordingly." Cathay Pacific says it has informed the Hong Kong police force and has asked that customers who believe they may be affected consult the website infosecurity.cathaypacific.com. Cathay Pacific is not the only airline to find itself under the cybersecurity spotlight in recent months. Last month, British Airways announced that hackers had stolen 380,000 customers’ personal and payment card information from its website. And in August, Air Canada warned that approximately 20,000 customers could have had their personal information compromised after a data breach in its mobile app. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
