Cathay Pacific data breach affecting millions of passengers

Cathay Pacific announced that as part of its ongoing IT security processes, it has discovered unauthorised access to some of its information system containing passenger data of up to 9.4 million people.

Upon discovery, the company took immediate action to investigate and contain the event. The company has no evidence that any personal information has been misused. The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety. 

Cathay Pacific Chief Executive Officer Rupert Hogg said: “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures. We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”

The following personal data was accessed: passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks; and historical travel information.

In addition, 403 expired credit card numbers were accessed. Twenty-seven credit card numbers with no CVV were accessed. The combination of data accessed varies for each affected passenger. 

Cathay Pacific state that they have notified the Hong Kong Police and is notifying the relevant authorities. 

Hogg added: “We want to reassure our passengers that we took and continue to take measures to enhance our IT security. The safety and security of our passengers remains our top priority.”

Ed Macnair, CEO of CensorNet said of the breach: “What is concerning with this breach is the fact that the issue was first identified in March and confirmed in May, and yet Cathay Pacific is only now making it public. Given that the data stolen included passport details, travel itineraries and some payments information – even if only for a small number of people – the airline should have immediately informed those affected, allowing them to act quickly. While it might seem disparate, hackers can use a combination of the data stolen to build up a picture of someone, which can lead to identity theft and other serious problems for individuals. 

“In today’s environment, where data breaches are a common occurrence, how companies react is absolutely critical and any that don’t get this right will see an immediate impact on customer trust and revenue – since the announcement, Cathay Pacific’s share price is already down. Protecting consumer data is critical, but communicating anything that happens is of equal importance. There’s no word yet as to whether or not there was any European citizens data involved, but if it emerges there was, the airline could face an investigation from European authorities under GDPR. The legislation impacts any organisation doing business with European individuals and states that breaches must be reported within 72 hours from when identified – Cathay Pacific is a long way outside that.”  

Rusty Carter, VP of Product Management at Arxan Technologies said: “With the data of over nine million passengers breached, this is the largest exposure of traveller data we have seen this year. It’s indicative that the attackers either moved quicker to exfiltrate data from the target systems or they had more time before they were detected. With attacks like the one against British Airways earlier this year, it shows that the Travel and Hospitality industries are an attractive target industry. It contains individuals who can afford air travel, and especially passport holders, who can afford international travel, and companies that may be more vulnerable to attack. Given the kinds of data the hackers were able to access, it’s easy to see how they can be building sophisticated, comprehensive dossiers on these victims, which go far beyond credit card information.

“Customers should check in not only with their financial institutions, but also closely watch for fraud in things like their tax returns – which leverage some of this same personal information – and take advantage of additional security measures wherever their financial institutions offer them. This attack sheds light on the fact that many enterprise back-end systems and databases are vulnerable, because they must trust the application accessing them. Furthermore, the delay between the breach and the disclosure further highlights the need for regulation to protect consumers. Consumers that were compromised went almost six months before knowing their information was exposed. Companies need to protect their applications from tampering and reverse engineering attacks if they want to keep (or rebuild) their customers’ trust. Key to minimising the impact and likelihood of success is developing strategies that include strong detection and reporting of the health and status of applications both inside and outside the company’s network.”