Image
Image
We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures. We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.In the statement, Cathay Pacific attempts to reassure people that it has seen no evidence of the data being criminally exploited, but frankly, such a statement isn't worth much. An absence of evidence is not evidence of absence - if some of the stolen data has been misused by fraudsters and spammers, it wouldn't necessarily have been linked back to this breach. Put simply, it's perfectly possible that Cathay Pacific has no visibility on data being misused by online criminals. There will also be inevitable criticism that although it took "immediate action" to contain the security incident, Cathay Pacific chose not to inform the public in a prompt fashion. The airline's share price nosedived as Cathay Pacific came under fire as to why it had taken months to admit it had been hacked. Under European GDPR legislation, breaches should be reported within 72 hours. Cathay Pacific would be wrong to assume that EU legislation has no bearing on its business simply because it is based in Hong Kong. GDPR is relevant to companies anywhere in the world if EU-based customers are put at risk. In an attempt to explain its delayed announcement, Cathay Pacific said "We believe it is important to have accurate information to share, so that people know the facts and we can support them accordingly." Cathay Pacific says it has informed the Hong Kong police force and has asked that customers who believe they may be affected consult the website infosecurity.cathaypacific.com. Cathay Pacific is not the only airline to find itself under the cybersecurity spotlight in recent months. Last month, British Airways announced that hackers had stolen 380,000 customers’ personal and payment card information from its website. And in August, Air Canada warned that approximately 20,000 customers could have had their personal information compromised after a data breach in its mobile app. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.