Cathay Pacific ordered to overhaul systems after data breach

In October 2018, the company disclosed a "data security event" in which it said information concerning approximately 9.4 million people was compromised.

According to statements it issued at the time, Cathay Pacific found there had been unauthorised access to customers' names, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer programme membership number, customer service remarks, and historical travel information, as well as some current and expired credit card information. The incident affected passengers of Cathay Pacific and its sister airline Cathay Dragon.

Hong Kong's privacy commissioner, Stephen Wong, carried out an investigation into the incident and published his report earlier this month. He found that Cathay Pacific had "adopted a lax attitude towards data governance" and said that the airline was responsible for a number of breaches of Hong Kong's Personal Data (Privacy) Ordinance.

Contraventions listed by Wong included what he deemed to be the company's failure to spot a "commonly known exploitable vulnerability" in its systems and the exploitation of that vulnerability.

Wong was further critical of the yearly interval between "vulnerability scanning" of Cathay Pacific's internet facing server, and said the way "the administrator console port" for that server had been set up had opened "a gateway for attackers".

He also took issue with the authentication requirements imposed on those seeking to access personal data on Cathay Pacific's systems remotely, while further faults included with the company's personal data inventory, its response to an earlier data security incident and with the security controls in place for a data centre migration project, according to Wong.

The privacy commissioner served an enforcement notice on Cathay Pacific which requires the airline to "engage an independent data security expert to overhaul the systems containing personal data".

Cathay Pacific was also ordered to strengthen remote access authentication controls, commission independent data security testing of its network and change its data retention policy to make it clearer how long it will hold on to passenger data for.

Wong said: "It is quite clear that contraventions aside, Cathay adopted a lax attitude towards data governance, which fell short of the expectation of its affected passengers and the regulator."

Cathay Pacific previously confirmed that it notified the data breach to 27 authorities around the world. The UK's Information Commissioner's Office (ICO) was one of those authorities. Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law, said that failings stated in the Hong Kong privacy commissioner's report could give rise to a significant fine under the General Data Protection Regulation (GDPR) if they are also accepted and enforced by the ICO or another EU data protection authority.

"The Cathay Pacific security incident, including the richness of the personal data, likely harm and the high volume of individuals affected, has the sort of profile that would be likely to attract regulatory scrutiny in the EU and enforcement action," Birdsey said.