Story image

Details of 9mil compromised in Cathay Pacific data leak

26 Oct 2018

Cathay Pacific has discovered unauthorised access to some of its information system containing passenger data of up to 9.4 million people. 

The following personal data was accessed: passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks; and historical travel information.

In addition, 403 expired credit card numbers were accessed.

Twenty-seven credit card numbers with no CVV were accessed. The combination of data accessed varies for each affected passenger.

Cathay Pacific has notified the Hong Kong Police and is notifying the relevant authorities. 

Upon discovery, the company took action to investigate and contain the event. 

It has no evidence that any personal information has been misused.

The IT systems affected are separate from its flight operations systems, and there is no impact on flight safety. 

On a statement on its website, Cathay Pacific chief executive officer Rupert Hogg says, “We are very sorry for any concern this data security event may cause our passengers.

“We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.

“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. 

“We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”

Hogg adds “We want to reassure our passengers that we took and continue to take measures to enhance our IT security. The safety and security of our passengers remains our top priority.”

Mimecast country manager Nick Lennon says, “The Cathay Pacific breach is very concerning in terms of its scale and length of time taken to alert affected customers. It’s likely that EU citizens were included in a breach of this size and GDPR questions will be asked.

“Once personal information is compromised, cybercriminals can implement highly targeted spear-phishing and social engineering attacks, often via impersonation emails against friends or business contacts. These impersonation attacks are now the easiest way for criminals to steal money and valuable data.

Lennon says, “Notified customers should change passwords as precaution and alert their employer’s IT security teams to help look out for attacks misusing their personal information.”

Ping Identity offerings accelerates cloud MFA and SSO adoption
90% of respondents trust MFA as an effective security control to protect identity data in public clouds, yet only 60% of organisations have formally adopted it.
Trend Micro introduces cloud and container workload security offering
Container security capabilities added to Trend Micro Deep Security have elevated protection across the DevOps lifecycle and runtime stack.
Veeam joins the ranks of $1bil-revenue software companies
It’s also marked a milestone of 350,000 customers and outlined how it will begin the next stage of its growth.
Veeam enables secondary storage solutions with technology partner program
Veeam has worked with its strategic technology alliance partners to provide flexible deployment options for customers that have continually led to tighter levels of integration.
Veeam Availability Orchestrator update aims to democratise DR
The ability to automatically test, document and reliably recover entire sites, as well as individual workloads from backups in a completely orchestrated way lowers the total cost of ownership (TCO) of DR.
Nuix eyes legal sector as eDiscovery demand skyrockets
eDiscovery must encompass so much more than email and documents. If you haven’t looked at text messages and online chats, digital images, mobile devices, data in the cloud and social media, you’re not getting the whole story.
EXCLUSIVE: Forcepoint global channel chief talks strategy
As a solution sold 100% via the channel, cybersecurity solutions company Forcepoint places a strong emphasis on its partner relationships.
Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."