Cathay faces 9.4m seething passengers on data leak :Top News | Jane Cheung 26 Oct 2018
About 9.4 million passengers of Cathay Pacific affected by a data breach will be notified by today after the company was blasted for keeping customers in the dark for seven months.
Shares of Cathay Pacific plunged 4 percent to HK$10.22 yesterday after the Hong Kong flagship carrier admitted the massive data leak.
Shares once fell as much as 6.8 percent to HK$9.90 in early trading, hitting a nine-year low, and shaving as much as HK$361 million off its market value. The Hang Seng Index fell 1 percent.
The airline announced late on Wednesday night that passengers' data, including their names, telephone and passport numbers and part of their credit card information, had been accessed without authorization.
They included 240,500 HKID card numbers and another 50,000 with HKSAR passport numbers.
Credit card information was also leaked, including 403 expired accounts and 27 without a card verification code.
All those affected were yesterday offered free identity surveillance service for 12 month. This service, provided by Identity Works Global Internet Surveillance, will monitor whether passengers' personal information is exposed on public websites, chat boxes and the dark web.
The company first spotted "irregularities" in March. It was confirmed to be unauthorized viewing of data in May, after the airline commissioned a cyber-security company for a comprehensive check.
Cathay chief executive Rupert Hogg apologized for the data leakage.
"We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures," he said.
He said the company had reported the case to the police and had set up a hotline and website dedicated to customer inquiries on the issue.
Paul Loo Kar-pui, chief customer and commercial officer of Cathay Pacific, yesterday defended the company, saying it was not trying to bury the problem. Instead, it wanted to avoid unnecessary panic, he said.
Speaking on a radio program, Loo said the airline spent much time and resources to understand which passengers had their personal data breached.
Asked why the company did not announce the incident in May, he said the company saw only hints of data breach at that time.
"We didn't want to make any rash move, but we wanted to carefully understand what had happened, and we didn't want unnecessary panic," he said.
On the same program, Stephen Wong Kai-yi, privacy commissioner for personal data, said reporting a data breach was voluntary. Even if Cathay did not report the case immediately, it was not against the law.
But he said the airline might have disappointed passengers on a moral level.
"In terms of data ethics, it should be reported immediately upon discovery of any irregularities or suspicious activities," Wong said.
In a media statement earlier, Wong said the Office of the Privacy Commissioner for Personal Data would start an investigation and compliance check with the airline, and expressed serious concern over the issue.
Last month, British Airways found hackers stealing credit card details of 380,000 customers.
Lawmakers considered an emergency meeting to discuss the matter. Lam Cheuk-ting from the Democratic Party described it as the largest data breach in the history of the SAR.
Elizabeth Quat, chairwoman of the Legislative Council Panel on Information Technology and Broadcasting, said she was one of the affected passengers. She suggested discussing the matter in a joint committee of security, constitutional affairs and IT panels.
Lawmaker for the IT sector Charles Mok said the SAR was lagging behind international standards in privacy laws and urged the government to introduce fines in the local ordinance.
He said the General Data Protection Regulation in Europe requires companies to inform authorities within 72 hours after becoming aware of a data breach.
Geoffrey Cheng, an analyst at Bocom International Holdings Co, wrote in a research note yesterday: "At this point, we believe it is uncertain if Cathay Pacific would be liable to any fines imposed by government authorities for such a breach.
"However, we expect the share price jitters to linger for a while."
Brock Silvers, managing director of Kaiyuan Capital, said: "Cathay did shareholders no favors with its delayed response, one which many investors saw as insufficiently detailed."
Editorial: Page 12