Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Cathay Pacific | Marco Polo Club
Reload this Page >

9.4 million passengers’ data stolen from CX

9.4 million passengers’ data stolen from CX

    Hide Wikipost
Old Nov 1, 18, 1:34 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: kaka
Wiki Link
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Print Wikipost

Reply

Old Nov 1, 18, 11:56 pm
  #181  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
what a shame. it's against EU rules. you dont have to claim/complain/report them if you feel they have done it rightly so. but it's well within my right to bring a case. people get killed and killer can run away around the world every day, does that make you any rightly to kill someone?

Originally Posted by oldchinahand View Post
Last evening at a function we were a table of 14 HK based business people, mostly local locals who all travel to a greater or lesser extent with Cathay. None were remotely alarmed by this contained data breach. Slightly annoyed yes but nothing more with all considering that this could happen to any large business that needs to gather a good deal of personal information with some considering Cathay’s IT systems to be robust in that almost no useable data that was not readily available from other sources had been accessed by this aggressive breach.
It's a matter of trust. what's next? they can throw our credit card out in the cloud?

You dont have to claim EU261 when the plane is delayed for 5 hours cuz of missed document, but you are not stopping me advocating others to claim it.
kaka is offline  
Reply With Quote
Old Nov 2, 18, 2:49 am
  #182  
 
Join Date: Jan 2016
Location: LON
Programs: BAEC, Accor
Posts: 1,229
Originally Posted by oldchinahand View Post
The below from todays SCMP I feel adds some balance to what has been at times a considerable over reaction both on this forum and elsewhere.
For the past week or so the SCMP has run several pieces aimed at inflaming a the views a largely uninterested Hong Kong readership yet today has prominently featured
the below from a regular contributor Richard Harris

https://www.scmp.com/comment/insight...ts-data-breach

Last evening at a function we were a table of 14 HK based business people, mostly local locals who all travel to a greater or lesser extent with Cathay. None were remotely alarmed by this contained data breach. Slightly annoyed yes but nothing more with all considering that this could happen to any large business that needs to gather a good deal of personal information with some considering Cathay’s IT systems to be robust in that almost no useable data that was not readily available from other sources had been accessed by this aggressive breach.
Unless you're a hermit and don't do anything online, all of us will have our data out in the cloud, including card numbers, whether you realise it or not. What matters though is whether appropriate technology, process and people policies are in place to ensure that it is safe and secure. That is where CX failed.
plunet is offline  
Reply With Quote
Old Nov 2, 18, 3:29 am
  #183  
FlyerTalk Evangelist
 
Join Date: Jun 2002
Location: Hong Kong
Programs: None any more
Posts: 10,733
The core issue, both with random punters and also, sadly, with many data users is the failure to understand the distinction between identifiers (name, HKID, passport, social security number, etc) and authenticators. The only reason this data leak is a problem is that too many companies use what should be identifiers (and which are often publicly available information) for the purposes of authentication. Sadly, on a previous occasion, even the HK Data Protection head demonstrated that he didn't understand this fundamental concept either.

Last edited by christep; Nov 2, 18 at 5:57 am
christep is online now  
Reply With Quote
Old Nov 2, 18, 4:22 am
  #184  
 
Join Date: Jun 2010
Location: HKG
Programs: AC-SE, CX-DM, SQ-PPS, Fairmont-Plat, SPG/Marriott-Plat, Le Club Accor-Plat, HHonors Silver
Posts: 229
Originally Posted by oldchinahand View Post
Last evening at a function we were a table of 14 HK based business people, mostly local locals who all travel to a greater or lesser extent with Cathay. None were remotely alarmed by this contained data breach. Slightly annoyed yes but nothing more with all considering that this could happen to any large business that needs to gather a good deal of personal information with some considering Cathay’s IT systems to be robust in that almost no useable data that was not readily available from other sources had been accessed by this aggressive breach.
While there is some truth that it could happen to any businesses, the fact that CX waited 5 months to tell it's customers is not something anyone should accept and encourage. It also failed to explain why it took them so long to advice its customers. Just because “it could happen to other companies” is not an excuse to brush this off.

They also failed to explain what exactly happened and have not been transparent at all in handling the matter.

These practices are not acceptable and should not be encouraged.

Last edited by hermanc; Nov 3, 18 at 1:37 am
hermanc is offline  
Reply With Quote
Old Nov 2, 18, 5:19 am
  #185  
Formerly known as jsfrSuperElite
 
Join Date: Feb 2008
Location: Hong Kong, Montreal
Programs: AirCanada SE1MM, Cathay Pacific MPC Diamond, Hilton Honors Diamond
Posts: 543
No, where CX failed is in not reporting this data hack immediately, but rather 7 months after it happened! This is simply unacceptable for people who got their personal data compromised.
Originally Posted by plunet View Post
Unless you're a hermit and don't do anything online, all of us will have our data out in the cloud, including card numbers, whether you realise it or not. What matters though is whether appropriate technology, process and people policies are in place to ensure that it is safe and secure. That is where CX failed.
jsfrSE is offline  
Reply With Quote
Old Nov 3, 18, 10:47 am
  #186  
 
Join Date: Nov 2017
Programs: MPC-Gold, Enrich-Plat
Posts: 618
After thinking I was orphaned out on this, I got the sympathy email too.

Leaked info:
  • Name
  • Telephone Number
  • Title
Which surprises me, some thoughts:
- AM is my only actual account, where, until very recently, no phone number was stored, so it does not seem to be AM.
- PP info is stored in the CX account, though the PP is expired. So, could it be, CX does not report leaks on expired data ?
- If so, then the leak is through the CX site itself and not AM/MPC.
- Given, I no longer seem to be able to login as a CX customer (only AM/MPC), CX seems to have "combined" the accounts, something like facebook with whatsapp.

- Very strange, that for most people, only a very limited set is leaked, which brings me to:
- Could it be mobile related ? Due to security (technical as well as big commercial brothers) concerns, I avoid to do these things through a mobile. Some basic info might be needed in the mobile site itself, where the remainder of the data is retrieved after a successful login (the same applies to the MPC site, it mentions your name and salutation, before the actual MPC data is retrieved. This mobile site seems to be quite a plausible leak source. And of course CX does not want to be caught on this one, it'll give a serious drop in mobile CX access. (The phone number is needed to do 2FA when a pw is lost).

- Strangely no mention of the account names being leaked.
- Who would be interested in this data ? CN gov ?
kaka likes this.
Cambo is offline  
Reply With Quote
Old Nov 4, 18, 6:33 am
  #187  
 
Join Date: Oct 1999
Location: HKG
Programs: CX DM, SQ, BA, TG, Sheba, VN, MPO since 1980
Posts: 1,053
https://www.scmp.com/news/hong-kong/...olders-earlier
Marco Polo is offline  
Reply With Quote
Old Nov 8, 18, 2:26 pm
  #188  
 
Join Date: Dec 2001
Location: New York, NY
Programs: LH Senator, CX Diamond
Posts: 575
Originally Posted by Mr. Strong View Post
After I got my data security breach email from CX, I sent an email to Rupert Hogg, another senior manager and their infosecurity desk. I asked some straightforward questions. It took their Customer Relations team 3 days to send me the following pathetic reply.

"Thank you for your email to Mr Rupert Hogg, our Chief Executive Officer, our senior management team and the info security team regarding your concerns on the data security event.

We are sorry that we have not been able to respond as of yet. We fully appreciate and recognise your concerns. Please allow us to look into the matter before replying to you in more detail. In the meantime, thank you for your patience and for taking the time to contact us.

Yours sincerely
Customer Relations Department
Cathay Pacific Airways Limited
Hong Kong Dragon Airlines Limited"
So I got a phone call from a senior CX manager in HKG to discuss the questions I had and my concerns about the data breach. He expressed a sincere apology. He confirmed that communication email and using phrase "data security event" or "Data Breach" in certain emails were based on where the affected traveller resides and privacy laws in that country. He couldn't say much about the breach other than it was very sophisticated malware. However, given how awful CX IT is, I think that basic malware would be characterized by CX as very sophisticated malware. He promised to look further into my questions and comments and revert to me. Let's see if that actually happens. He realizes that with the breach of my data and quite a number of significant service fails on CX for me this year that it's a very tall order to gain my trust and business after being DM for 10 straight years. I'm curious if he might have heard about a call I had with Greg Hughes on product and service fails.

Hoping that HKG privacy commissioner's probe, HK SFC and SEHK inquiries gather enough traction so that CX management will be punished and fined appropriately. Actually, I hope they also go after Ivan Chu since he was CX Chief Executive in March and Rupert Hogg only replaced him in May. So Boss Hogg, if you're reading this post, take some solace in knowing that I realize that freaking Ivan Chu bequeathed you with a huge cluster. 😜
Mr. Strong is offline  
Reply With Quote
Old Nov 10, 18, 1:46 am
  #189  
 
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,052
FlyPointyEnd is offline  
Reply With Quote
Old Nov 10, 18, 5:37 am
  #190  
 
Join Date: May 2013
Posts: 49
Originally Posted by Mr. Strong View Post

Hoping that HKG privacy commissioner's probe, HK SFC and SEHK inquiries gather enough traction so that CX management will be punished and fined appropriately. Actually, I hope they also go after Ivan Chu since he was CX Chief Executive in March and Rupert Hogg only replaced him in May. So Boss Hogg, if you're reading this post, take some solace in knowing that I realize that freaking Ivan Chu bequeathed you with a huge cluster. 😜
IIRC, Ivan Chu stepped down in 2017 already instead of March this year.
Also in that case, should the CEO prior to Ivan Chu be accountable for the fuel hedging that leads to a chain of cut-cost events when Ivan Chu stepped up as the CEO?
AviationAddict is offline  
Reply With Quote
Old Nov 12, 18, 8:42 am
  #191  
 
Join Date: Jan 2011
Location: Hong Kong
Programs: CX
Posts: 1,479
Turns out this was a sustained attack on CX...

Such was the intensity of the attack, Cathay said internal and external IT security experts had to focus solely on containment and prevention throughout March, April and May.
https://www.scmp.com/news/hong-kong/...iously-thought
CX HK is offline  
Reply With Quote
Old Nov 12, 18, 8:43 am
  #192  
 
Join Date: Jan 2016
Location: LON
Programs: BAEC, Accor
Posts: 1,229
There's a write up of the Cathay data breach on The Register.

https://www.theregister.co.uk/2018/1...iege_3_months/

The register writes stuff for the geek community to enjoy - and it likes to poke a bit of fun in its journalistic style whilst remaining factual.
plunet is offline  
Reply With Quote
Old Nov 12, 18, 9:00 am
  #193  
 
Join Date: Nov 2017
Programs: MPC-Gold, Enrich-Plat
Posts: 618
Originally Posted by CX HK View Post
Turns out this was a sustained attack on CX...



https://www.scmp.com/news/hong-kong/...iously-thought
Which implies:
- The EU GDPR is applicable.
- CX did have one or more deeply hidden infections, which repeatedly re-infected other systems.
- Normal hackers don't do these kind of things, they want data which can be sold, fast
- The stolen data is pretty much useless for regular / large scale abuse. It is far to much "loose sand". Let alone, despite the large scale, I did not see any abuse report, traceable to this incident.
- Normal hackers would go after credit card information and once inside like this, it's only one step further to implant the hacks like with BA in the payment portal.
- Only state hackers do have the resources and endurance to do so for such a long period.

I repeat: State hackers, for example neighbour CN (though don't rule out the USA), interested in people movements and people connections (through links between extreme high quality phone/email/person data), throughout the world. The stolen data classifies exactly in this category.

Edit: I would not be surprised, when more major airlines do have intrusions like this. ME3, KL/AF, LH, BA-again, TK, TG, SQ.
kaka likes this.

Last edited by Cambo; Nov 12, 18 at 9:29 am Reason: More airlines remark added.
Cambo is offline  
Reply With Quote
Old Nov 12, 18, 9:26 am
  #194  
 
Join Date: Oct 1999
Location: HKG
Programs: CX DM, SQ, BA, TG, Sheba, VN, MPO since 1980
Posts: 1,053
Fancy Bear or North Korea training ops or extortion ?
Air China partners with CX so has access to most data anyway
Over such a period of time the external experts must know the IP sources of the port attacks, and whether they are VPNs
Marco Polo is offline  
Reply With Quote
Old Nov 12, 18, 9:42 am
  #195  
 
Join Date: Nov 2017
Programs: MPC-Gold, Enrich-Plat
Posts: 618
Originally Posted by Marco Polo View Post
Fancy Bear or North Korea training ops or extortion ?
Air China partners with CX so has access to most data anyway
Over such a period of time the external experts must know the IP sources of the port attacks, and whether they are VPNs
Nop, repeated infections over this a long period, implies undetected infected internal systems (possible even firewalls and the like), which contact command servers through TOR. Forensic Investigation of the infections itself might reveal programmer origins.

I certainly would not rule out big brother USA, there are parts in the world, they don't have "cooperation" agreements with and only for flights to/from the USA passenger data is share with them ......

NK does need money, not the info about person/phone/email relations.

Fancy Bear, yeah sure, with them, you know, they eaves drop on wifi networks locally from outside the building, as found at some time ago in The Netherlands. A pretty easy and certain way to intrude an organization, undetected.
Cambo is offline  
Reply With Quote

Thread Tools
Search this Thread