Everyone in Hong Kong now knows about the Cathay Pacific data breach, which compromised the personal information of up to 9.4 million passengers.
Not all data breaches are created equal. This particular one hits close to home, and many are irked that while the breach occurred in May, it was only disclosed recently.
“This [event] is very disappointing given the high level of trust that passengers local and worldwide has placed in the airline,” said Charles Mok, Hong Kong's Legislative Councillor for Information Technology. “While this data breach will undoubtedly undermine the international image of Hong Kong, I'm even more concerned with how it took Cathay Pacific nearly half a year before finally notifying the privacy regulator and affected passengers all over the world.”
“CX seems to have detected the unusual traffic themselves, but we don't know how much time passed between the breach and the detection,” said Richard Stagg, managing consultant for Hong Kong-based security firm Handshake Networking. “If it was the same day, bravo! If it was a six month gap then...whatever is the opposite of bravo.”
“We are very sorry for any concern this data security event may cause our passengers,” said CX CEO Rupert Hogg in a statement.
Yes, well I'm sorry too, Mr Hogg. As a long-time Cathay flyer and Marco Polo Club member, I entrusted your firm with data few corporate entities possess. My passport details, for example. Perhaps this sensitive information has been leaked elsewhere—after all, the internet leaks constantly, and many people blast information on platforms like Facebook and Google whose business is essentially data-trading.
Yours is not. Your business is getting planeloads of passengers and cargo from Point A to Point B. Your processes require accurate data which is often sensitive in nature. You were Hong Kong's flagship carrier before your acquisition of Dragonair in 2006, and nowadays your profile is even higher. As Mok said: “This data breach will undoubtedly undermine the international image of Hong Kong.”
I know that sounds harsh, but I like flying Cathay, and I appreciate their role in Hong Kong's excellent supply chain. Upon this rock in the South China Sea, we enjoy goods and services that are the envy of many Asian cities, and Cathay is a part of that. Your flight attendants work very hard to make air travel more enjoyable (some would say “bearable”). Your luggage tags are permanently affixed to my travel bags because more often than not, I'm on CX.
Please regard this opinion piece as “tough love”—I'm not cancelling my low-level club membership over this. But you need to know how Hong Kongers feel. My personal feeling: this hits hard because we view Cathay as “our” local airline. Watch any Hong Kong film from the 70s or 80s—if a plane lands or takes off from Kai Tak, it says “Cathay Pacific” in big green letters on the side.
So let's unpack this a bit.
“The massive data breach that hit Cathay Pacific is one of the most serious data breach incidents ever in a Hong Kong company, affecting close to 10 million passengers worldwide,” said Mok. “Based on the information available so far, owing to the sophisticated nature of the attacks, the company has engaged an external information security consultant to assist its investigation and has confirmed the data breach in May 2018. Based on the Privacy Commissioner’s guidelines on handling data breaches, when a real risk of harm is reasonably foreseeable in a data breach, the data user should notify affected data subjects and related parties as soon as possible.”
Mok said that “British Airways also suffered from a major hack in late August to early September affecting sensitive personal and financial information of more than 380,000 customers [and] the company reported the incident within three days to regulators and the public, as the GDPR has an explicit mandatory requirement that data breach incidents must be reported within 72 hours to relevant authorities.”
“Whether this sparks a HK mandatory disclosure law is another matter,” said Stagg. “I suspect CX weren't planning to disclose at all except something forced their hand, and I think that's drawn significant attention to the need for mandatory disclosure, aside from the GDPR pressure.”
Our existing PDPO dates from the mid-1990s, as Mok explained in a Computerworld Hong Kong opinion piece last June, and well worth a re-read today. Is it now time to update our legislation to better reflect the new requirements as dictated by the GDPR? Does the GDPR represent best practices, and if so, isn't that what Hong Kong aspires to?
Actions and consequences
“In the past few years, major data breaches at government departments, tourist agencies, and ISPs have once again demonstrated the importance of investing in IT to boost cyber-security readiness and having a comprehensive incident response plan,” said Mok. “Last year CX underwent a major restructuring and made significant cuts in its Information Technology department, affecting one-fifth of its IT staff.”
“Cathay Pacific owes its customers a detailed explanation of how they allowed their systems to be exploited and how they will prevent this from occurring again,” said the Legislative Councillor. “This massive data breach incident is a reminder to senior management that IT is not a cost center, but a crucial foundation for ensuring operations and security against fast-evolving information security threats.”
Stagg adds additional perspective: “The real lesson that people will take away from this is: 'oh, what's the use?' There's a real sense that, whatever you invest, no matter how carefully you implement and test and add layers of security, some [entity] is going to breach you ANYWAY, eventually. And this is—to a certain extent—true, and explains both the growth in cybersecurity insurance and the explosion of privacy legislation that says companies shouldn't store anything they can't afford to lose (and the fines will make sure they really THINK about what they can afford).”
“The real impact of this breach is that large numbers of smaller enterprises will be demoralized, questioning the point of investment in security appliances, software, procedures and compliance,” said Stagg. “And that really is good news for the bad guys.”
Mok: “It is time for Hong Kong to strengthen our privacy law.”
Yes, it is.