Cathay Pacific, an airline headquartered in Hong Kong, announced it has discovered unauthorised access to some of its information system containing passenger data of up to 9.4 million people.
Upon discovery, the company said it took immediate action to investigate and contain the event. There is no evidence that any personal information has been misused.
In a statement, the airline said the IT systems affected were ‘totally separate’ from its flight operations systems and there is no impact on flight safety.
Cathay Pacific Chief Executive Officer Rupert Hogg said: “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm and to further strengthen our IT security measures.
“We are in the process of contacting affected passengers, using multiple communications channels and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full and no passwords were compromised.”
The personal data accessed included – passenger name, nationality, date of birth, phone number, email address, passport number, identity card number, frequent flyer programme membership number, customer service remarks and historical travel information.
In addition, 403 expired credit card numbers were accessed. A total of 27 credit card numbers with no CVV were accessed. The combination of data accessed varies for each affected passenger.
Cathay Pacific has notified the Hong Kong Police and is notifying the relevant authorities .
Anyone who believes they may be affected should contact Cathay Pacific.
Hogg added: “We want to reassure our passengers that we took and continue to take measures to enhance our IT security. The safety and security of our passengers remains our top priority.”
Expert opinions
Sam Curry, Chief Security Officer at Cybereason, said: “The Cathay Pacific breach is a clear indication that the airline industry has a target on its back, given that British Airways and Air Canada have also been in the news in recent months for material breaches of customer data and personal information.
“In the bigger picture, it would be premature to speculate on the overall damage to Cathay’s customers and the airline itself. Passengers that travel with Cathay should assume their personal information has already been stolen many times over and it is unfortunately the reality facing billions of people in the connected world we live in.
“Collectively, black hat hackers are patient and their persistence means they are likely to be successful 100% of the time when they attempt to breach a system. This stacks the cards against the defenders, meaning that Cathay and the airline industry as a whole needs to rethink their strategy around network detection and start taking the fight to the hacker by going on the offensive with more advanced technologies and services that will stop threats before they can materialise.”
Ryan Wilk, Vice President at NuData Security, a Mastercard company, said: “Data in the wrong hands – especially payment card information – can have a huge impact on customers, far beyond the unauthorised use of their cards.
“Payment card information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world.
“Using these identities, and sometimes fake identities build from valid data, they’ll take over accounts, apply for loans and much more. Every hack has a snowball effect that far outlasts the initial breach.
“All customer information is valuable to fraudsters. Name, physical and email addresses, passwords, the content of emails. We must change the current equation of ‘breach = fraud’ by changing how we think about online identity verification. To prevent post-breach damage, we need to make stolen data valueless.
“Multi-layered technology that thwarts fraud exists right now. Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their personally identifiable information. This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behaviour.
“Analysing customer behaviour with passive biometrics is completely invisible to users. It has the added benefit of providing valid users with a great experience without the extra friction that often comes with other customer identification techniques. When fraudsters try to use stolen customer data or login credentials, they will find the data is useless.
“The balance of power will return to customer protection when more companies implement such techniques and technology.”
Aatish Pattni, Regional Director for UK and Ireland for Link11, said: “The attack stole highly sensitive personally-identifiable information including names, passport numbers, dates of birth, email and physical addresses, which makes it a potential goldmine for hackers.
“This is the second large scale attack on a global airline in as many months and brings the total to four in 2018. This suggests a concerning trend of attacking the aviation industry, as it stores higher-value personal information such as passport numbers.
“Although there are no signs that the stolen data has been used, people who think they may be affected should be wary of any email communications they receive relating to the breach and should not share any other sensitive details by email. Scammers often prey on peoples’ concerns to try and harvest more data.”
Tim Helming, Director of Product Management at DomainTools, said: “This amount of personal data being breached will undoubtedly make a contribution to further cybercrime in the future. The details released are the most valuable type of PII: more than enough for cybercriminals to target victims via spear phishing ransom campaigns, or to simply steal identities for financial gain.
“The affected customers would be advised to change passwords to sensitive accounts as soon as possible and keep an eye out for any unusual email traffic or financial activity. This type of breach is worryingly common; companies simply need to do better when protecting our data.”
Paul Bischoff, Privacy Advocate at Comparitech:“While the Cathay Pacific breach is unfortunate, it seems no usable payment information was breached according to the company’s statement. I would like to know a bit more about the nature of this database and what it was used for. It’s strange that among 9.4 million passengers affected, only a few hundred had any credit card details attached.
“I’m not familiar with Hong Kong’s ID card system, so I won’t comment on the impact of that information being leaked. While it’s not ideal for criminals to know your passport number, it’s typically not sufficient for a criminal to steal your identity, break into your accounts, or commit fraud in your name.”
Ian Smith, Founder and CEO, Gospel Technology, said: “One of the biggest challenges for organisations today is that the technologies that underpin their data processes have not been designed for today’s multi-channel digital world. For example, the solutions that many organisations rely on were designed for an age where data was produced in limited quantities from a handful of sources, not the huge amounts of data generated from an increasing number of sources that we have today.
“As a result, regardless of the security investments, data is bound to inadvertently end up in the wrong hands which is why we continually see headlines about data breaches.
“With today’s consumers being hypersensitive about how their data is stored and processed, organisations cannot afford to take any chances with data access control. The issues of consent and who has access to data are bigger talking points than ever and organisations that are able to win customers’ trust on these matters will give themselves the competitive advantage in today’s customer-driven world.”
Steve Malone, Director of Security Product Management at Mimecast, said: “The Cathay Pacific breach is very concerning in terms of its scale and length of time taken to alert affected customers. It’s likely that EU citizens were included in a breach of this size and GDPR questions will be asked.
“Once personal information is compromised, cybercriminals can implement highly targeted spear-phishing and social engineering attacks, often via impersonation emails against friends or business contacts. These impersonation attacks are now the easiest way for criminals to steal money and valuable data.
“Notified customers should change passwords as precaution and alert their employer’s IT security teams to help look out for attacks misusing their personal information.”
Phil Beckett, Managing Director of Alvarez and Marsal, said: “Organisations of all sizes must understand the scale of damage these attacks can cause and they must do everything in their power to try to prevent them from happening; but this should not be at the expense of detective and responsive measures. Due to the increased sophistication of attacks, traditional approaches to cybersecurity have been found wanting, meaning even the most diligent companies can fall prey to hackers.
“It’s imperative that organisations put cybersecurity at the heart of their cultures so as not to get left behind. Board members and senior management teams must be proactively involved in understanding and addressing cyber-risk management, and in particular, the response elements of an incident.
“Acting swiftly, with a focused response is of the utmost importance when it comes to protection. In today’s landscape, organisations would be naive to believe that an attack won’t happen to them, because incidents such as the recent BA hack prove it can and will. Businesses must understand the risks and the consequences it can have on both their business and their customer. Enough can never be enough. This should act as a true wake up call for businesses – if one was ever needed in the first place.”