Cathay Pacific data breach lasted for months, says airline
Cathay Pacific, one of the main airlines in Hong Kong, admitted that the recent spate of data breaches the airline has experienced over the last three months were the most “intense” data thefts to date.
In a written submission to Hong Kong’s Legislative Council before a panel hearing, the carrier said that it initially detected “suspicious activity” on its computer network back in March and took decisive action to contain any further cyber-attacks.
However, despite their efforts to contain any further breaches, on-going attacks continued to affect the airline from May onwards.
Constant cyber-attacks resulted in Cathay bringing in external security experts and resources to help prevent any further exposure, but attacks eventually became too difficult for the airline to contain.
“Cathay is cognisant that changes in the cybersecurity threat landscape continue to evolve at pace as the sophistication of the attackers improves,” it said.
“Our plans, which include growing our team of IT security specialists, will necessarily evolve in response to this challenging environment.”
Cathay Pacific data breach
It took until October 24th to reveal that 9.4m passengers had been affected, with hackers accessing personal data including dates of birth, phone numbers, and passport numbers.
Cathay said in the report that the nature of the cyber-attacks they had experienced, and the amount of time it took to carry out investigations to help trace the cyber attacker’s identity, contributed to the airline’s decision to delay announcing the results to the public.
The city’s Privacy Commissioner for Personal Data announced last week that they have launched an investigation into the Cathay Pacific data breach.
A statement released on their website last week said that they have received 108 inquiries and 89 complaints connected to the data breach.
Cathay also revealed last month that data stolen in the breach included 860,000 passport numbers, 245000 Hong Kong identity card numbers, 403 expired credit card numbers, and 27 credit card with no verification value (CVV).
While the attack exposed millions of Cathay customers’ data, the company insisted there’s no evidence that data was taken or misused.
Commenting on the Cathay cyber-attacks, Ilia Kolochenko, CEO and founder of web security company High Tech Bridge said: “’No evidence of misuse’” practically means nothing. Worse, it may mean that someone very smart is exploiting the data in a trivial way, and probably very detrimental for the victims.”
He added: “Moreover, the stolen data can appear for sale on the black-market at any time. Taking into consideration the gravity of the breach, customers of Cathay will likely have no reliable recourse apart from promptly changing all their credit card passwords, logins and IDs.
“Cathay may face numerous class actions and individual lawsuits from disgruntled customers, in parallel with severe monetary sanctions imposed by regulators from different countries.”