Cathay Pacific Data Breach Exposes 9.4 Million Passengers

Cathay Pacific, the Hong Kong-based international airline, acknowledged on Wednesday that its computer system had been compromised at least seven months ago, exposing the personal data and travel histories of as many as 9.4 million people.

The breach involved private user information, including phone numbers, dates of birth, frequent flier membership numbers and passport and government ID numbers, as well as information on passengers’ past travels. The airline said that 27 credit card numbers — but not their corresponding security codes — had been obtained, as had 403 expired credit card numbers.

The company said that no passwords were compromised and that the breach would not affect flight operations or safety. It said it learned in May that passenger data had been exposed after first discovering suspicious activity on its network in March. It did not immediately respond when asked whether it had any indication of who was responsible, and why it did not announce the breach earlier.

“The safety and security of our passengers remain our top priority,” said Rupert Hogg, the carrier’s chief executive.

As Asia’s economic might has grown over the past half-century, Cathay has become a major carrier in the region, one known globally for its customer service. Last year it carried nearly 35 million passengers to around 200 destinations in more than 50 countries or territories. But the security breach has come at a tough time for the company, which counts the state-backed carrier Air China as a major shareholder.

Cathay has faced growing competition in the region from low-cost carriers and other emerging rivals and has been losing money for the past two years. Its shares fell in Hong Kong trading on Thursday.

Airlines are juicy targets for hackers, with their vast stores of information not only on people’s identities and credit cards but also on where they have been.

In an era when issues of data protection have come to the fore in Washington and other global capitals, the Cathay breach does not stand out for its scale. The airline said in a filing with the Hong Kong Stock Exchange that around 860,000 passport numbers and 245,000 Hong Kong identity card numbers had been exposed. By contrast, the security breach discovered by Facebook last month involved 50 million user accounts.

Still, the types of information in Cathay’s systems that were compromised could be particularly useful to malicious agents. Names, birthdays, travel itineraries and passport details could be used to reset passwords or obtain private financial information.

Last month, British Airways said that criminals had stolen data on people who booked flights on its website or app during a roughly two-week period in August and September. That security breach exposed personal and financial details, the airline said, but not travel or passport information.

Delta Air Lines said earlier this year that customer payment information had been exposed after a security breach at a company that provided online chat services for it. In that case, no customers’ passport details were compromised, Delta said.

SOURCE: New York Times

Heathrow must pay a £120,000 fine after an employee lost a memory stick containing dozens of staff’s personal details.

The details of up to 50 security personnel, and 10 people’s names, dates of birth and passport numbers, were exposed on the memory stick, which was found by a member of the public.

The data was not encrypted, and the person was able to view it at their local library before sharing the information with a national newspaper.

Upon investigating, UK data watchdog the Information Commissioner’s Office (ICO) found that just two per cent of Heathrow’s 6,500-strong workforce had had data protection training.

Steve Eckersley, head of investigations at the ICO, said: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.

“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”

The watchdog also criticised Heathrow’s “widespread” use of memory sticks, saying the practice contravened the airport’s own policies and guidance.

A spokesperson for the airport said it had taken swift action to strengthen processes following the breach.

Read more: BA data breach: How hackers stole customers’ data

“We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved,” they added.

“We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented including the start of an extensive, information security training programme which is being rolled out company-wide.”

“We take our compliance with all laws extremely seriously and operate within the stringent regulatory and legal requirements demanded of us.”