igor - Fotolia

Cathay Pacific under fire over breach affecting 9.4 million passengers

Hong Kong-based airline reveals massive data breach of the most sensitive personal data of passengers five months after loss was confirmed

Cathay Pacific is coming under fire for taking months to report a breach of the most sensitive data affecting 9.4 million passengers, including some from its Hong Kong Dragon Airlines division.

Suspicious activity on the airline’s IT systems was discovered in March 2018 and the “unauthorised access” of personal data was confirmed in May, but Cathay Pacific has kept quiet about it until now.

Brian Vecci, technical evangelist at Varonis, said that as insiders and external actors get more sophisticated, organisations must be able to do a better job of detecting suspicious activity quickly and reducing the time it takes to investigate an incident.

“Months went by between when this attack was apparently noticed and when investigators figured out sensitive data might have been stolen, and then almost half a year passed before it was announced,” he said. “That is unacceptable and highlights just how far behind the eight ball most organisations are when it comes to threat hunting and incident response.”

The data breach includes 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) that were accessed, although the airline claims no passwords were compromised.

Breached data also includes passenger names, nationalities, dates of birth, telephone numbers, email and physical addresses, passport numbers, identity card numbers and historical travel information – all extremely valuable to cyber criminals for identity theft, phishing and fraud.

Cathay Pacific chief executive Rupert Hogg said in a statement: “We are very sorry for any concern this data security event may cause our passengers.

“We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cyber security firm and to further strengthen our IT security measures.”

It is not known whether any EU nationals are among the passengers affected, but the airline could face a stiff fine under the EU’s General Data Protection Regulation (GDPR), which has been in full force since May and requires notification of personal data breaches within 72 hours.

However, in April, the privacy commissioner for personal data in Hong Kong, Stephen Kai-yi Wong, made it clear that Hong Kong-based businesses like Cathay must comply with the GDPR.

“As the EU is Hong Kong’s second-largest trading partner, the new GDPR’s extra-territorial effect suggests that as long as Hong Kong businesses collect and process personal data of EU individuals, they should be prepared to comply with the GDPR’s requirements,” he said.

Steve Malone, director of security product management at Mimecast, said it is likely that EU citizens were included in a breach of this size and GDPR questions will be asked.

“Once personal information is compromised, cyber criminals can implement highly targeted spear phishing and social engineering attacks, often via impersonation emails against friends or business contacts,” he said. “These impersonation attacks are now the easiest way for criminals to steal money and valuable data.”

Read more about data breaches

In response to criticism for taking five months to notify affected passengers, Cathay Pacific said in a statement: “We believe it is important to have accurate information to share, so that people know the facts and we can support them accordingly.”

Cyber security commentators said the airline industry is a rich source of personal data for cyber criminals and should ensure that extra care is taken in keeping that data safe.

Although several airlines have been targeted in recent months, including British Airways, Delta Airlines and Air Canada, the Cathay Pacific breach stands out because of the number of passengers affected and the combination of extremely sensitive data involved.

Ted McKendall, CTO of Trusted, said the breach makes BA’s breach in September of data belonging to 380,000 passengers look “trivial” by comparison.

“What is staggering here is the sheer volume of passengers involved, the nature of the data that has been accessed, and how long it took the airline to alert customers,” he said.

“There are no details of how the breach was executed yet, but I can only assume that the extreme delay between identifying the breach and notifying customers is because the airline was trying to patch its systems first.”

Although Cathay Pacific has been quick to assure customers that only a small amount of financial information has been leaked, McKendall said the data that has been leaked is more than unsettling.

“The passport information of passengers on the dark web will have an extremely high price tag,” he said. “Much of this information – names, dates of birth, email and physical addresses – could be used to conduct further attacks against passengers’ other accounts, as these details are often enough to bypass security.

“However, sadly that is not the worst of it. All those seriously affected will have to be on the lookout for identity fraud, and this shows just how serious cyber crime has become. We inherently trust a multitude of companies with our details, but we cannot get them back once they are taken.”

Change passwords

Tim Helming, director of product management at DomainTools, said affected passengers should change their passwords to sensitive accounts as soon as possible and keep an eye out for any unusual email traffic or financial activity. “This type of breach is wearyingly common,” he said. “Companies simply need to do better when protecting our data.”

Sam Curry, chief security officer at Cybereason, said Cathay Pacific and the airline industry as a whole need to rethink their strategy around network detection.

“They need to start taking the fight to the hacker by going on the offensive with more advanced technologies and services that will stop threats before they can materialise,” he said.  

Commenting on the exposure of payment card information, Ryan Wilk, vice-president at NuData Security, a Mastercard company, said: “Data in the wrong hands – especially payment card information – can have a huge impact on customers, far beyond the unauthorised use of their cards.

“Payment card information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cyber criminals and used for myriad criminal activities, both on the internet and in the physical world.”

To prevent post-breach damage, Wilk said stolen data needs to be made valueless with multi-layered technology such as passive biometrics technology, which makes stolen data valueless by verifying users based on their inherent behaviour, instead of relying on their personally identifiable information.

“This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behaviour,” he said.

Randy Abrams, senior security analyst at Webroot, said a large number of passports compromised with passenger history and information should be of significant concern to governments across the world as they try to secure their borders.

“The sheer amount and quality of data leaked can make for extremely targeted social engineering attacks,” he said. “Being able to incorporate details such as travel history can enable cyber criminals to create exceptionally plausible social engineering attacks against enterprises, helping fuel future attacks.”

Read more on Privacy and data protection

Data Center
Data Management