The following is the media statement from the Privacy Commissioner’s Office following the conclusion of their investigation into the 2018 Cathay Pacific Airways breach. You can download their investigative report from their site here (pdf). The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Mr Stephen Kai-yi WONG today published an investigation report on the data breach incident of unauthorised access to personal data of approximately 9.4 million passengers of Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited (collectively referred to as Cathay). The Privacy Commissioner found Cathay contravened the data protection principles under the Personal Data (Privacy) Ordinance (Ordinance) relating to personal data security and retention. The Privacy Commissioner served an Enforcement Notice today to direct Cathay to remedy and prevent any recurrence of the contraventions. Major Findings Data Security Cathay did not take all reasonably practicable steps to protect the affected passengers’ personal data against unauthorised access in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening Data Protection Principle 4(1) of Schedule 1 to the Ordinance: Failure to identify the commonly known exploitable vulnerability and the exploitation, and failure to take reasonably practicable steps to accord due deployment of the internet facing server; Vulnerability scanning exercise for the Internet facing server at a yearly interval being too lax in the context of effectively protecting its information systems against evolving digital threats; Failure to take reasonably practicable steps not to expose the administrator console port of the Internet facing server to the Internet, as a result of which a gateway for attackers was opened; Failure to apply effective multi-factor authentication to all remote access users for accessing its IT system involving personal data; Producing unencrypted database backup files to facilitate migration of data centre without adopting effective security controls, thus exposing the personal data of the affected passengers to attackers; Failure to have an effective personal data inventory to cover all systems containing personal data; and Risk alertness being low and failure to take reasonably practicable steps to reduce the risk of malware infections and intrusions to its IT system after the earlier security incident in 2017. Retention There being no justifiable reasons, Cathay did not take all reasonably practicable steps to ensure that the Hong Kong Identity Card numbers of the affected passengers were not kept longer than was necessary for the fulfilment of the defunct verification purpose for which the data was used, contravening Data Protection Principle 2(2) of Schedule 1 to the Ordinance. Data breach notification There being no statutory requirements under the Ordinance for a data breach notification, whether to the Privacy Commissioner or the affected passengers, and whether within a particular period of time or otherwise, the Privacy Commissioner found no contravention of the Ordinance in this connection. Cathay could have notified the affected passengers of the suspicious activity once detected back in March 2018 and advised them of the appropriate steps to take earlier to meet their legitimate expectation. Enforcement Notice The Privacy Commissioner exercised his power pursuant to section 50(1) of the Ordinance and served an Enforcement Notice to direct Cathay to: Engage an independent data security expert to overhaul the systems containing personal data; Implement effective multi-factor authentication to all remote users for accessing its IT system involving personal data and undertake to conduct regular review of remote access privileges; Conduct effective vulnerability scans at server and application levels; Engage an independent data security expert to conduct reviews/tests of the security of Cathay’s network; Devise a clear data retention policy to specify the retention period(s) of passengers’ data, which is no longer than is necessary for the fulfilment of the purpose, and undertake to implement effective measures to ensure effective execution; and Completely obliterate all unnecessary HKID Card numbers collected from Asia Miles membership programme from all systems. Data Governance Mr Stephen Kai-yi WONG, the Privacy Commissioner, added: “The fact that personal data is less tangible than other personalty (e.g. bank notes) or realty does not absolve businesses of their failures to keep it safely and to obliterate it when it is no longer necessary for the fulfilment of the purpose for which the data is or is to be used. To give effect to the legal requirements, there is also an expectation of comprehensive, effective and evidenced privacy compliance policies and programmes being put in place, relevant and scalable for the businesses concerned, as well as demonstrable internally and externally. This legitimate expectation comes from both the customers, who are the data subjects, and the regulators. “During the investigation, I was mindful of the accuracy and sensitivity, and exercised due care and diligence to ensure that I had the accurate facts on which my investigation and findings were based and that disclosure of these facts could not be potentially exploited or used to compromise Cathay’s information systems security, flight operation and business secrets. It is quite clear that contraventions aside, Cathay adopted a lax attitude towards data governance, which fell short of the expectation of its affected passengers and the regulator.”
From EJInsight: The Legislative Council has decided to take action on the massive data breach at Cathay Pacific Airways, which has affected the personal information of as many as 9.4 million customers. Amid calls for more stringent regulations on personal data protection, lawmaker Horace Cheung Kwok-kwan from the Democratic Alliance for the Betterment and Progress of Hong Kong said Legco will hold a special meeting on Nov. 14 to thoroughly discuss how to prevent similar incidents from happening again through regulatory approaches. Read more on EJInsight.
The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Mr Stephen Kai-yi WONG, expressed serious concern over the Cathay Pacific Airways data breach incident, noting that the incident might involve a vast amount of personal data (such as name, date of birth, passport number, Hong Kong Identity Card number, credit card number, etc) of local and foreign citizens. The office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) would proactively contact the airline and initiate a compliance check. The Privacy Commissioner advised the airline to notify the affected clients as soon as possible, and take remedial steps with details explained immediately. Mr Wong said that organisations must take effective security measures to protect the personal data of its clients. If an external service provider is engaged as a data processor, the organisation must adopt contractual or other means to safeguard personal data from unauthorised or accidental access, processing or use. Mr Wong reminded members of the public that if they find any abnormalities with their personal accounts of the airline concerned or credit card accounts, they should contact the airline and the related financial institutions. They should also change the account passwords and enable two-factor authentication to protect their personal data. Mr Wong stated that while reporting of data breach is voluntary, any organisation concerned is encouraged to notify the PCPD. By doing so, the PCPD can work together with the organisation to minimise the potential damage to clients. Mr Wong stressed, “Organisations in general that amass and derive benefits from personal data should ditch the mindset of conducting their operations to meet the minimum regulatory requirements only. They should instead be held to a higher ethical standard that meets the stakeholders’ expectations alongside the requirements of laws and regulations. Data ethics can therefore bridge the gap between legal requirements and the stakeholders’ expectations. This is in fact the ‘Data Stewardship Values’ advocated in the research report recently issued by the PCPD: respectful, beneficial and fair.” Source: Privacy Commissioner for Personal Data, Hong Kong
Reuters reports: Cathay Pacific Airways said on Wednesday (Oct 24) that data of about 9.4 million passengers of Cathay and its unit Hong Kong Dragon Airlines had been accessed without authorisation. Cathay said 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed in the breach. Read more on Straits Times.