Elements of Cathay Pacific’s IT systems were “too lax” in securing passenger information in the period before the airline suffered a massive data breach, an investigation has found.
The findings, published on Thursday, were part of the Hong Kong privacy commissioner for personal data Stephen Wong’s report into Cathay Pacific’s October 2018 data breach.
“It is quite clear that contraventions aside, Cathay adopted a lax attitude towards data governance, which fell short of the expectation of its affected passengers and the regulator,” Wong said in a statement.
Wong’s report said Cathay Pacific failed to identify a commonly known exploitable vulnerability and did not take reasonably practicable steps to accord due deployment of an internet facing server that the attackers accessed the data through.
“Cathay’s vulnerability scanning exercise for the Internet Facing Server at a yearly interval was too lax in the context of effectively protecting its information systems against evolving digital threats,” the report said.
“Cathay had not taken reasonably practicable steps not to expose the administrator console port of the Internet Facing Server to the Internet, as a result of which a gateway for attackers was opened.”
In October 2018, Cathay Pacific said it had suffered a massive data breach affecting up to 9.4 million people.
The airline said it had discovered unauthorised access to the personal data such as passenger name, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer program membership number, customer service remarks and historical travel information.
Approximately 860,000 passport numbers and approximately 245,000 Hong Kong identity card numbers were accessed, while 403 expired credit card numbers that were accessed, as well as 27 credit card numbers with no CVV.
Cathay Pacific said it had first noticed suspicious activity on its network in March 2018, with unauthorised access to personal data confirmed in May 2018. It then went public in October 2018.
The Hong Kong privacy commissioner said it had served Cathay Pacific an enforcement notice that directed the airline to take eight actions.
These included engaging an independent data security expert to overhaul the systems containing personal data, as well as conduct regular reviews and tests of the airline’s network, devise a clear data retention policy and remove all unnecessary Hong Kong identity card numbers from its Asia Miles frequent flyer program in any form from all systems.
Cathay Pacific said in a statement to The Stock Exchange of Hong Kong it was carefully considering the report with its advisers and would decide later whether it was appropriate to make any detailed public response.
“The Company would once again like to express its regret, and to sincerely apologise for this incident,” Cathay Pacific said.
“The Company has already taken measures to enhance its IT security in the areas of data governance, network security and access control, education and employee awareness, and incident response agility.
“Substantial amounts have been spent on IT infrastructure and security over the past three years and investment in these areas will continue.”
The full report can be found on the Hong Kong privacy commissioner for personal data website.