Data breach
 

Just received this.... seems to be becoming very common place amongst airlines.

Dear Mr .....

At Cathay Pacific, we are committed to protecting your personal data and your privacy, and we take this commitment very seriously. As a consequence we wanted to let you know as soon as possible that we learnt of an incident experienced by a third-party service provider: SITA (SITA Passenger Service System) used by some of our oneworld partner airlines.

To be clear, this incident did not involve any Cathay Pacific systems or systems related to the services we use. Instead, the incident relates to SITA services used by certain airlines we have partnered with.

As part of the oneworld service, these airlines do have limited and basic information – specifically your name, membership number and tier, seating preferences and a code corresponding to your meal preferences.

As far as Cathay Pacific is concerned, we can reassure you that your account remains secure thanks to numerous established security measures keeping your account protected. You therefore do not need to take any steps as regards to your account with us.

We have asked SITA to keep us informed about any development relating to this incident and we will continue to monitor the situation as it develops. We will update you again in the event any further important information becomes available.

Yours sincerely,


Marco Polo Club

Yeahh I received the same thing... but doesn't seem as serious as the last breach fortunately...

I got the same but from Singapore Airlines. They feed and share data with their Star Alliance member airlines as well.

Got an SQ one too.

haven’t booked with either for a long time. Flown them through partner bookings though. Assume my “valuable” details will be ok...?

Best to know what SITA does
 

What CX sent out was a disclaimer that its systems were not affected, however, CX and other airlines share their data when transacting with other airlines, i.e. for tickets issued across multiple carriers, passenger and visa information, Frequent Flyer Programme Status, and credit cards.

This means that the data on CX shared with any other airline could have been compromised on SITA.

To explain, SITA was set up to facilitate connectivity between airlines at the beginning of the computer age to enable communication to flow between them. It now operates one of the world’s largest global networks.

This means that say neither CX not SQ system’s were compromised, yet data travelling between the two was, i.e. over the SITA network with its multiple nodes, servers, and storage devices.

From reading the CX and AA notices I received it looks as if data was compromised over the SITA network.

Message from BA:
Dear Customer,

We take the protection of your data very seriously.

We have been notified of a data breach at global technology company SITA, an IT services provider to many airlines around the world. SITA is not British Airways’ booking and reservations system provider and SITA’s breach does not involve our customers’ financial information or password as SITA does not have access to this data. Please be reassured that this incident was not a breach of British Airways' systems.

Along with many other airlines, we do share limited information with partner airlines in order to enhance your experience when flying with them. We have been notified by SITA that some British Airways Executive Club Members’ names, membership numbers and some of their preferences, such as seating, has been impacted.

The password you use for your account is not held by SITA and has not been put at risk by this breach.

As a precaution, given the potential that customers have re-used passwords used for other websites, we are taking the following action to protect you:

• Please log into your account and reset your password
• Please create a new password that you have not used elsewhere
• Once your password has been reset and you have completed a verification step, you will be able to regain full access to your account

We know fraudsters try to use situations like this to their advantage. We will not contact you by phone and ask for your password - please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres.

We are sorry for the inconvenience caused and thank you for your continued support and cooperation in helping us to keep your information safe and secure.

British Airways

I got 4 of them... United, CX, SG, and another one I forgot.... CX was first

This is one possibility. Another possibility may be, if the breach happened several years ago, due to MH (and S7) using SITA's GDS/CRS. SITA may have stored a copy of membership numbers, names, and tiers. Both MH and S7 migrated to Amadeus afterwards. At least in Amadeus and Sabre, you can get the name match confirmation and tier status using a member's membership number almost instantly, and it is my understanding that Amadeus and Sabre each has a local copy of the information.

On a separate note, I got this about a previous data breach today :

DID CATHAY PACIFIC NOTIFY YOU ABOUT A DATA INCIDENT ON OR AROUND OCTOBER 24, 2018?
THIS NOTICE MAY AFFECT YOUR LEGAL RIGHTS

A class action settlement has been reached in McLean v. Cathay Pacific Airways Limited, S.C.B.C. No. VLC-S-S-199228. The action was certified by the Supreme Court of British Columbia. The settlement is a compromise of disputed claims and is not an admission of liability, wrongdoing or fault by any of the defendant. The proposed settlement is subject to the approval of the Court.

There is a link below. Anyone heard of this? They said the settlement was a little over $1.5 million.

Wrong class action.

I just received this too.

I'm a Canadian citizen from BC but living in Kuala Lumpur Malaysia. Honestly can't remember if i submitted my email for the class action back in 2018. I'm guessing I did.

Same here I don't remember I submitted my email and received this too. Canadian citizen from BC stuck in Shanghai, China.

So glad that ambulance chasing lawyers will use these frivolous nuisance class-action lawsuits to bleed corporations. Each "member" of the class will get $2.00 USD, and the lawyers will get 30%.

Yeah, just principally disgusting.

Anyway, I received the message from both CX and SQ, where my SQ Krisflyer subscription was only just 1 week old, when I received the notice ;)

This suggests, the breach was very recent OR SQ did just sent everybody this notice, independent whether the breach was earlier on.

It would be a wise decision for organizations to send this notice to everyone on their list.