Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Cathay Pacific | Marco Polo Club
Reload this Page >

9.4 million passengers’ data stolen from CX

9.4 million passengers’ data stolen from CX

    Hide Wikipost
Old Nov 1, 18, 1:34 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: kaka
Wiki Link
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Print Wikipost

Reply

Old Oct 29, 18, 6:57 pm
  #166  
 
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,090
Originally Posted by Mr. Strong View Post
After I got my data security breach email from CX, I sent an email to Rupert Hogg, another senior manager and their infosecurity desk. I asked some straightforward questions. It took their Customer Relations team 3 days to send me the following pathetic reply.

"Thank you for your email to Mr Rupert Hogg, our Chief Executive Officer, our senior management team and the info security team regarding your concerns on the data security event.

We are sorry that we have not been able to respond as of yet. We fully appreciate and recognise your concerns. Please allow us to look into the matter before replying to you in more detail. In the meantime, thank you for your patience and for taking the time to contact us.

Yours sincerely
Customer Relations Department
Cathay Pacific Airways Limited
Hong Kong Dragon Airlines Limited"
What a joke...
FlyPointyEnd is offline  
Reply With Quote
Old Oct 29, 18, 8:06 pm
  #167  
Formerly known as jsfrSuperElite
 
Join Date: Feb 2008
Location: Hong Kong, Montreal
Programs: AirCanada SE1MM, Cathay Pacific MPC Diamond, Hilton Honors Diamond
Posts: 547
Originally Posted by Mr. Strong View Post
After I got my data security breach email from CX, I sent an email to Rupert Hogg, another senior manager and their infosecurity desk. I asked some straightforward questions. It took their Customer Relations team 3 days to send me the following pathetic reply.

"Thank you for your email to Mr Rupert Hogg, our Chief Executive Officer, our senior management team and the info security team regarding your concerns on the data security event.

We are sorry that we have not been able to respond as of yet. We fully appreciate and recognise your concerns. Please allow us to look into the matter before replying to you in more detail. In the meantime, thank you for your patience and for taking the time to contact us.

Yours sincerely
Customer Relations Department
Cathay Pacific Airways Limited
Hong Kong Dragon Airlines Limited"
Last Friday, I sent as well an email to the management of CX and got the exact same response as you...
jsfrSE is offline  
Reply With Quote
Old Oct 29, 18, 11:29 pm
  #168  
 
Join Date: Aug 2018
Posts: 9
Wow scmp reported there is a class action suit against cx.
fmradio is offline  
Reply With Quote
Old Oct 29, 18, 11:47 pm
  #169  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,359
Originally Posted by fmradio View Post
Who actually signed up for the experian services? I had name and address stolen
Me. To use against credit cards in my BAEC (I'm not a EU resident for BAEC purposes, so Cheapo Cruz didn't send me an Experian link for that)
percysmith is offline  
Reply With Quote
Old Oct 30, 18, 9:07 am
  #170  
 
Join Date: Jun 2006
Location: SIN
Programs: CX DM, SQ KF
Posts: 1,899
Originally Posted by jsfrSE View Post


Last Friday, I sent as well an email to the management of CX and got the exact same response as you...
Interestingly, I did the same (a frustrated forward to Mr Hogg) a few days before this issue hit the wires- pointing to certain posts on here..got a reply the next day from a manager in SIN that seemed to have a bit more content, even if it seemed wayy too positive/along the party line (along..‘we know, we’re working, while not perfect- look at the improvements in the lounges, the enhanced biz dining etc”)

(I do owe some of the regulars on here an update about that- soon!, even though you didn’t really miss anything).
jagmeets is offline  
Reply With Quote
Old Nov 1, 18, 9:05 am
  #171  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,359
‎Simone Chen‎ to Cathay Pacific 國泰航空
October 30 at 5:57 PM ·
I wrote to CX about the details of my details leaked. I asked whether my full name or surname only, every digit of my phone number or only part of it.

Here is the reply from CX customer relationship. “ We are sorry we cannot access your specific information due to privacy concerns.”

You leak my data and then you tell me I can’t tell you the details of it because of privacy concern. How hilarious!!!
percysmith is offline  
Reply With Quote
Old Nov 1, 18, 10:02 am
  #172  
 
Join Date: Oct 1999
Location: HKG
Programs: CX DM, SQ, BA, TG, Sheba, VN, MPO since 1980
Posts: 1,055
https://www.scmp.com/news/hong-kong/...rs-affected-do
Marco Polo is offline  
Reply With Quote
Old Nov 1, 18, 11:13 am
  #173  
 
Join Date: Jun 2016
Location: Hong Kong
Programs: Lowly CX & IHG
Posts: 347
Regarding the “We are sorry we cannot access your specific information due to privacy concerns”, not that they should send actual data through email which is not really considered secure, nor should they keep a copy of the actual leaked data for the inquiries that’s easier to be leaked again... So, well, not very helpful but not the worse way to handle either, in my own opinion; but that’s your freedom if you insist a through check.
watery is offline  
Reply With Quote
Old Nov 1, 18, 7:28 pm
  #174  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
Originally Posted by watery View Post
Regarding the “We are sorry we cannot access your specific information due to privacy concerns”, not that they should send actual data through email which is not really considered secure, nor should they keep a copy of the actual leaked data for the inquiries that’s easier to be leaked again... So, well, not very helpful but not the worse way to handle either, in my own opinion; but that’s your freedom if you insist a through check.
gdpr.
kaka is offline  
Reply With Quote
Old Nov 1, 18, 7:56 pm
  #175  
 
Join Date: Jun 2016
Location: Hong Kong
Programs: Lowly CX & IHG
Posts: 347
Originally Posted by kaka View Post

gdpr.
Not being an EU citizen thus not aware of that. That case maybe also contact the data protection officer or state as a GDPR request?

Originally Posted by peasant View Post
Customers requesting more information or clarification on specific Personal Data usage are welcome to contact us at [email protected] or write to us at the below mailing addresses:

The Data Protection Officer
Cathay Pacific Airways Limited
6th Floor Cathay Pacific City
8 Scenic Road
Hong Kong International Airport
Lantau
Hong Kong

Hong Kong Dragon Airlines Limited
5th Floor Cathay Dragon House
11 Tung Fai Road
Hong Kong International Airport
Lantau
Hong Kong
watery is offline  
Reply With Quote
Old Nov 1, 18, 8:30 pm
  #176  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
Originally Posted by watery View Post
Not being an EU citizen thus not aware of that. That case maybe also contact the data protection officer or state as a GDPR request?
are you a bno holder (expired or not)?

anyways, you can still send the same in. they could ask for your EU citizen details or they could surrender the information
kaka is offline  
Reply With Quote
Old Nov 1, 18, 8:53 pm
  #177  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
According to EU GDPR (if CX is seen as a HK company, then it would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then GDPR would apply to EVERYONE)

From the communications with someone on the BA Forum, this is a brief summary of what GDPR/UK Data Protection Act 2018 wrt personal data. (this was taken from private comms so i would keep the name out. it's pretty much taken out of the website so i figure its ok to share with like minds without rewriting it.)
Under the Data Protection Act (latest UK version is 2018, which includes GDPR) you can make a "Subject Access Request". Under Data Processing law any living individual is a "data subject" and can apply to any data processor (any person, company or legal entity) that has information about them.What is a data subject entitled to?

Individuals have the right to obtain the following from you:
  • confirmation that you are processing their personal data;
  • a copy of their personal data; and
  • other supplementary information – this largely corresponds to the information that you should provide in a privacy notice
Other information

In addition to a copy of their personal data, you also have to provide data subjects with the following information:
  • the purposes of your processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient you disclose the personal data to;
  • your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
  • the existence of their right to request rectification, erasure or restriction or to object to such processing;
  • the right to lodge a complaint with the ICO or another supervisory authority;
  • information about the source of the data, where it was not obtained directly from the individual;
  • the existence of automated decision-making (including profiling); and
  • the safeguards you provide if you transfer personal data to a third country or international organisation.
The law would therefore practically permit you to apply to get all data that BA holds about you, why it retains the data that it does, what data is shared with any third party, which data was shared with unknown third parties as a result of the data breach (there are other reasons).

BA have to respond within a month of your request, and there is no charge payable (the previous version of the Data Protection Act allowed a charge of up to £10 but this no longer applies since GDPR.

You may find this page useful: https://ico.org.uk/your-data-matters...ght-of-access/
and below is CX's point of contact regarding personal data usage.
Originally Posted by peasant View Post
Customers requesting more information or clarification on specific Personal Data usage are welcome to contact us at [email protected] or write to us at the below mailing addresses:

The Data Protection Officer
Cathay Pacific Airways Limited
6th Floor Cathay Pacific City
8 Scenic Road
Hong Kong International Airport
Lantau
Hong Kong

Hong Kong Dragon Airlines Limited
5th Floor Cathay Dragon House
11 Tung Fai Road
Hong Kong International Airport
Lantau
Hong Kong
A brief summary of what to write to DPO in very short...
asking for data that CX hold on you
highlight specifically which data was lost
(there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

Last edited by kaka; Nov 1, 18 at 9:24 pm
kaka is offline  
Reply With Quote
Old Nov 1, 18, 9:27 pm
  #178  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
re: Class action

http://www.cathaydatabreach.com - SPG/ Sanders Phillips Grossman
From SCMP regarding SPG (http://www.cathaydatabreach.com)
Originally Posted by scmp
The group (SPG) action planned in Britain would be restricted to European Union residents. On the website, the firm said the claimants had a right to compensation from Cathay Pacific for the data leak under Article 82 of the European Union General Data Protection Regulation (GDPR).For other claimants, like those in Hong Kong and mainland China, Goodhead said the firm would file separately in the Netherlands, which “provides a mechanism [by which a] stichting, or a foundation, can represent claimants worldwide on a class action basis”.
http://www.classlawdc.com/2018/10/25...investigation/ - M&R/ Migliaccio & Rathod LLP
Originally Posted by M&R
Migliaccio & Rathod LLP is currently investigating Cathay Pacific’s alleged failure to protect sensitive customer data in the worst ever airline data hack.

Last edited by kaka; Nov 1, 18 at 9:32 pm
kaka is offline  
Reply With Quote
Old Nov 1, 18, 9:35 pm
  #179  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
updated wiki:
for GDPR and class action

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
flubber and jysim like this.
kaka is offline  
Reply With Quote
Old Nov 1, 18, 11:52 pm
  #180  
 
Join Date: Aug 2015
Programs: MPC Inv
Posts: 46
The below from todays SCMP I feel adds some balance to what has been at times a considerable over reaction both on this forum and elsewhere.
For the past week or so the SCMP has run several pieces aimed at inflaming a the views a largely uninterested Hong Kong readership yet today has prominently featured
the below from a regular contributor Richard Harris

https://www.scmp.com/comment/insight...ts-data-breach

Last evening at a function we were a table of 14 HK based business people, mostly local locals who all travel to a greater or lesser extent with Cathay. None were remotely alarmed by this contained data breach. Slightly annoyed yes but nothing more with all considering that this could happen to any large business that needs to gather a good deal of personal information with some considering Cathay’s IT systems to be robust in that almost no useable data that was not readily available from other sources had been accessed by this aggressive breach.
christep and NZbutterfly like this.
oldchinahand is offline  
Reply With Quote

Thread Tools
Search this Thread