Cathay Pacific says the complexity of the cyber attack it encountered earlier this year was why the airline took 10 months from initial discovery to disclose the security breach.
In a written submission prepared for a joint meeting with regulators scheduled for 14 November, the airline shares that the attack “involved a number of complex systems that took significant time to analyse.”
“An enormous amount of work was involved in the investigation, which was highly technical. The process by which the stolen data could be identified, processed and linked to a specific passenger also contributed to the length of time involved between initial discovery and public disclosure.”
It emphasized, however, that it determined early on that its operations and flight safety systems were not impacted and that flight safety was never compromised.
The Hong Kong carrier made public on 25 October that it suffered a data breach that compromised the personal information of 9.4 million passengers. The breach saw 12 fields of data compromised including names, identify and passport numbers, frequent flyer information, contact details and travel history.
In the written submission, Cathay says investigations first commenced in March when it detected suspicious activity on its network. Even during this phase, where it focused on investigation, containment and remediation, it was hit by further attacks. These were “most intense” in March, April and May but continued thereafter.
“These ongoing attacks also expanded the scope of potentially accessed data, making the challenge of understanding it more lengthy and complex in phase two of the investigation.”
The second phase of investigation involved confirming which data had been accessed and whether they could be read by attackers, with conclusions proving “difficult and time-consuming” and only reached in mid-August.
The third phase was targeted at determining the types of personal data that pertain to each affected passenger and notification.
Cathay adds that it has spent over HK$1billion ($128 million) on IT infrastructure and security over the past three years and that it will grow its team of IT security specialists.
“We take our responsibilities with respect to our passengers’ personal data very seriously and we acknowledge that there are many lessons that we can and will learn from this event.”