Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Cathay Pacific | Marco Polo Club
Reload this Page >

9.4 million passengers’ data stolen from CX

9.4 million passengers’ data stolen from CX

    Hide Wikipost
Old Nov 1, 18, 1:34 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: kaka
Wiki Link
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Print Wikipost

Reply

Old Nov 12, 18, 5:17 pm
  #196  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
cx dpo acknowledged recipient for email asking for data subject access request with no substance
kaka is online now  
Reply With Quote
Old Nov 12, 18, 5:32 pm
  #197  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,164
1. I wonder the 430 cards stolen - of which 427 were claimed to have expired - were "expired" as a result of the breach (that is - the cards were valid, but CX's acquirer contacted the issuers to replace the cards)?

2. My info stolen - HKID (how did CX have that...) phone number email - may not be enough to create new card accounts/identity documents for identity theft but coupled with pretty lax security at other HK companies, someone may get my other non-public info like bank balance or card balance. Other than that, and the fact my phone and email may be spammed, I really can't think of any objective consequences of the breach.
percysmith is offline  
Reply With Quote
Old Nov 13, 18, 8:13 pm
  #198  
Suspended
 
Join Date: Oct 2017
Programs: jeweledgolfclub
Posts: 22
Originally Posted by percysmith View Post
1. I wonder the 430 cards stolen - of which 427 were claimed to have expired - were "expired" as a result of the breach (that is - the cards were valid, but CX's acquirer contacted the issuers to replace the cards)?

2. My info stolen - HKID (how did CX have that...) phone number email - may not be enough to create new card accounts/identity documents for identity theft but coupled with pretty lax security at other HK companies, someone may get my other non-public info like bank balance or card balance. Other than that, and the fact my phone and email may be spammed, I really can't think of any objective consequences of the breach.
1) Do you trust what they tell you tho? Especially when you say they don't know your HKID.
2) Assuming your name was taken too, its not hard to make some half genuine ID for some can't be bothered company to approve their use.
3) Remember how some people got their alipay account breached?

Is anyone doing the class action?
jeweled golf club is offline  
Reply With Quote
Old Nov 14, 18, 5:55 am
  #199  
 
Join Date: Apr 2014
Location: Haute-Vienne, France
Posts: 211
I've contacted them for more details on what they intend to do with this lawsuit before committing to anything but they did say they have a large number signed up already.
Lussac is offline  
Reply With Quote
Old Nov 14, 18, 7:14 am
  #200  
 
Join Date: Nov 2017
Programs: MPC-Gold, Enrich-Plat
Posts: 620
Originally Posted by Lussac View Post
I've contacted them for more details on what they intend to do with this lawsuit before committing to anything but they did say they have a large number signed up already.
Ambulance chasers, their goal:
- Fill their own wallets by wanting a 30% fee of the CX extorted amount.
- Let all participants deposit a significant amount for whatever plausible reason, to cover their real costs, just in case the extorted amount is less then the costs.

Of course, they will tell you, a lot of people already signed up.

Be aware, to be able to get compensation, you will need to show some kind of damage. The simple fact that info has been (presumed) stolen, does not imply, it is being used malicious. EU-GDPR fines go to the EU, not to the individual.

Put your emotions aside. With "significant" information stolen from 9.4 million people, there should have been a huge crowd, who was a victim of fraud though until now, if fraud was the target of the theft. I did see zero notifications somehow or another related to this leak.

(Which again convinces me, the hackers weren't "commercially" interested, ie state hackers).
windchaser777 likes this.
Cambo is offline  
Reply With Quote
Old Nov 14, 18, 11:14 pm
  #201  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,164
Originally Posted by jeweled golf club View Post
1) Do you trust what they tell you tho? Especially when you say they don't know your HKID.
2) Assuming your name was taken too, its not hard to make some half genuine ID for some can't be bothered company to approve their use.
3) Remember how some people got their alipay account breached?

Is anyone doing the class action?
1) is a legtimate concern, especially since they revealed they've been under continuous attack for 3 months after being towed to Legco.

What else are they hiding? Wonder are there grounds for establishing a Commission of Enquiry (HK-style Royal Commission)?
percysmith is offline  
Reply With Quote
Old Nov 15, 18, 12:00 am
  #202  
 
Join Date: Nov 2017
Programs: MPC-Gold, Enrich-Plat
Posts: 620
Originally Posted by percysmith View Post
1) is a legtimate concern, especially since they revealed they've been under continuous attack for 3 months after being towed to Legco.

What else are they hiding? Wonder are there grounds for establishing a Commission of Enquiry (HK-style Royal Commission)?
A lot of unclear aspects, though, I think, we should give CX credit for their effort to painstakingly investigate and report at the individual level, which record items were leaked for each individual customer. I do think, most companies would have simply said something general, like, "If you have your HKID stored at CX and used it in this period, it highly likely got leaked.". Have a look at facebook, google, apple, etc.
christep and royng like this.
Cambo is offline  
Reply With Quote
Old Nov 15, 18, 1:32 am
  #203  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,164
Originally Posted by Cambo View Post
we should give CX credit for their effort to painstakingly investigate and report at the individual level, which record items were leaked for each individual customer.
What assurance do I have that the information is complete, and a judge with compelling powers is not going to find the 20-odd credit cards and my mother's alias passport copy has not been leaked as well?
percysmith is offline  
Reply With Quote
Old Nov 15, 18, 1:53 am
  #204  
 
Join Date: Nov 2017
Programs: MPC-Gold, Enrich-Plat
Posts: 620
Originally Posted by percysmith View Post
What assurance do I have that the information is complete, and a judge with compelling powers is not going to find the 20-odd credit cards and my mother's alias passport copy has not been leaked as well?
That's easy: You don't.

To be (more) sure, you will have to setup your own investigation team & program, convince CX (probably through a court action), to let the team investigate the same as CX already did and find out if CX made mistakes and/or cheated on the whole. I don't think any court will grand you such a request, unless you can make very plausible, CX cheated on you, with what they reported. That'll be difficult, to say the least.

On the practical side, CX gave each individual an exact description of what (which records) has/have been accessed (leaked ?), which does (at least) me, give "quite some" confidence, CX did seriously investigate and deal with this matter.

I just came over some press coverage that the august BA leaked credit cards do seem to be offered at black markets.

Despite the CX leaking being significantly longer ago (and at a significantly smaller credit card scale), I did not see any notices appear about leaked data being available for purchase.

To be able to offer leaked data, the party doing the commercialization, certainly will have to tell their potential customers, where the data comes from, otherwise their customers have no idea about the value of what they can buy.

(Which again does let me expect this leak to be from state hackers. I think, it's an excellent idea to, as a state intelligence institute, hack major airlines to obtain information about people vs. their communication methods, as well as people movements around the globe. Not that many other organizations will have such a high quality info about everybody travelling around the globe. Not even banks have that info.)
Cambo is offline  
Reply With Quote
Old Nov 15, 18, 2:52 am
  #205  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,164
I have my suspicions BA leaked my card info - I just had the USD card I use for BAEC (which I use for USD transactions only) fraudulently charged overnight, cancelled and replaced first thing this morning.

However, the company that admitted they have not told us everything at first is worse than the company I can't prove has not told us everytthing.
percysmith is offline  
Reply With Quote
Old Nov 15, 18, 7:17 pm
  #206  
Suspended
 
Join Date: Oct 2017
Programs: jeweledgolfclub
Posts: 22
Originally Posted by percysmith View Post
I have my suspicions BA leaked my card info - I just had the USD card I use for BAEC (which I use for USD transactions only) fraudulently charged overnight, cancelled and replaced first thing this morning.

However, the company that admitted they have not told us everything at first is worse than the company I can't prove has not told us everytthing.
I agree. Surely it can be a big problem, otherwise FB wouldn't have gotten a big fine over it in Europe.

Just like EC261, not being consumer friendly is an annoyance by itself.
jeweled golf club is offline  
Reply With Quote
Old Nov 15, 18, 8:33 pm
  #207  
Original Poster
 
Join Date: Mar 2012
Location: Boulder
Programs: AA Plat, CX Silver
Posts: 2,259
Has anyone seen which security firm CX has hired for the investigation?

Sometimes that's the best indicator of which sort of attacker is at play.
txflyer77 is offline  
Reply With Quote
Old Nov 18, 18, 12:31 am
  #208  
 
Join Date: Mar 2012
Location: Vancouver, Manila, Singapore, Kuala Lumpur, Hong Kong
Programs: CX-DM, Marriott Gold, Fairmont Premier
Posts: 197
So has anyone signed up for the class action lawsuit?
blum81 is online now  
Reply With Quote
Old Nov 19, 18, 1:57 pm
  #209  
 
Join Date: Nov 2018
Programs: air new zealand
Posts: 3
Sadly my first comment on FT is to advise that CX told me only my name and title had been hacked. But last week, my credit card was hacked with ~$3,000 NZD for flights, including one on Cathay. Quite scary. Thanks for all the info here.
jeweled golf club likes this.

Last edited by kathkiwi; Nov 19, 18 at 1:58 pm Reason: Deleted note about this being a reply, not a post. My misunderstanding.
kathkiwi is offline  
Reply With Quote
Old Nov 19, 18, 7:26 pm
  #210  
 
Join Date: Nov 2017
Programs: MPC-Gold, Enrich-Plat
Posts: 620
Originally Posted by kathkiwi View Post
Sadly my first comment on FT is to advise that CX told me only my name and title had been hacked. But last week, my credit card was hacked with ~$3,000 NZD for flights, including one on Cathay. Quite scary. Thanks for all the info here.
Unless you did not use your card for a long time anywhere, the physical card is stored safe and you never "stored" the card details in such a "secure" clode safe, it would be a very long jump to suggest your card details became compromised through the CX hack&leak.
Cambo is offline  
Reply With Quote

Thread Tools
Search this Thread