Hong Kong’s data watchdog has rapped Cathay Pacific’s “lax attitude” towards data governance in a report on a 2018 data breach that compromised the personal details of almost 10 million passengers.
“The fact that personal data is less tangible than other personalty [like bank notes] or realty does not absolve businesses of their failures to keep it safely and to obliterate it when it is no longer necessary for [its purpose],” states privacy commissioner for personal data Stephen Wong.
“It is quite clear that contraventions aside, Cathay adopted a lax attitude towards governance, which fell short of the expectation of its affected passengers and the regulator.”
Unknown attackers bypassed the cybersecurity of Cathay’s IT systems and exploited vulnerabilities in the system that led to the data breach.
Cathay, the commissioner found, failed to identify the vulnerabilities in its systems, with its annual scans for vulnerabilities were inadequate given the rapidly evolving nature of digital threats.
Among other findings, the commissioner also found that Cathay had not heeded the lessons from a May 2017 data breach. While it took remedial action after that, the carrier did not “take reasonably practicable steps to reduce the risk of malware infections and intrusions to its IT system”.
The commissioner also found that Cathay had unnecessarily retained identity card numbers of some of its customers for longer than necessary.
To this end, the commissioner issued an enforcement notice directing the Oneworld carrier to “overhaul the systems containing personal data”, to ensure they are free of vulnerabilities. Other measures include regular scanning of its system for vulnerabilities, conducting regular independent reviews of its IT systems, and devising a clear data retention policy.
Cathay, in a statement issued after the report was made public, says it is “carefully considering the report” and will decide, in due course, if it is “appropriate to make any detailed public response”.
The airline stressed that it had already beefed up its IT security measures and had spent “substantial amounts” on it.
Cathay announced on 25 October that the personal information of 9.4 million passengers had been compromised in a data breach. Compromised information included names, identity and passport numbers, as well as contact details.
That led to the privacy commissioner for personal data commencing an investigation in early November.
The Cathay data breach came on the back of other similar high profile breaches in the airline industry. In September, British Airways disclosed that data from 380,000 passengers transactions on its website and mobile application were stolen.
In August, Air Canada flagged a security breach on its mobile application that may have compromised some customers’ personal information.