After the information of 9.4 million Cathay Pacific passengers was breached in October 2018, a newly-released report by Hong Kong's privacy watchdog has found that the airline "did not take all reasonably practicable steps to protect the Affected Passengers’ personal data".
Several of Cathay's databases were infiltrated during the breach. Cathay pointed out that the databases were partially compromised and no passenger had all their information stolen. All the same, valuable information was accessed, including around 840,000 passport numbers and 560,000 Hong Kong ID card numbers.
Cathay admitted in October 2018 that the breach had been uncovered several months earlier (March). They waited to disclose the attack because they wanted to "fully and accurately understand the scope and specific details of the personal data that had been taken from each affected passenger so as to be able to provide a meaningful, individualised notification to them". However, the report observed that "notification and remedial steps for consumers could have happened sooner".
The report's author and Hong Kong Privacy Commissioner for Personal Data, Stephen Kai-yi Wong, went further: "Cathay adopted a lax attitude towards data governance, which fell short of the expectation of its affected passengers and the regulator."
Cathay has now received an enforcement action and, within six months, needs to 'overhaul the systems containing personal data' to make sure they are free of malware and vulnerabilities, implement proper multi-factor authentication, scan for vulnerabilities more regularly, have regular independent security tests completed, and create a "clear data retention policy".
This isn't the first time Cathay has suffered a breach. In May 2017, it suffered another breach. In reference to that incident, Wong said: "Cathay did not take reasonably practicable steps to reduce the risk of malware infections and intrusions to its IT system. The airline should have learnt to respond better."
