Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Cathay Pacific | Marco Polo Club
Reload this Page >

9.4 million passengers’ data stolen from CX

9.4 million passengers’ data stolen from CX

    Hide Wikipost
Old Nov 1, 18, 1:34 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: kaka
Wiki Link
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Print Wikipost

Reply

Old Nov 19, 18, 7:38 pm
  #211  
 
Join Date: Nov 2018
Programs: air new zealand
Posts: 3
Originally Posted by Cambo View Post
Unless you did not use your card for a long time anywhere, the physical card is stored safe and you never "stored" the card details in such a "secure" clode safe, it would be a very long jump to suggest your card details became compromised through the CX hack&leak.
Thanks Cambo, that is a fair point. It was just odd that I got the email and then about 10 days later my cc got used to purchase a flight. Just wanted to post it here in case that becomes an emerging trend. But you are right, it is probably a long jump on my part. Apologies in that case.
kathkiwi is offline  
Reply With Quote
Old Nov 20, 18, 1:05 am
  #212  
 
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 561
Originally Posted by kathkiwi View Post
Thanks Cambo, that is a fair point. It was just odd that I got the email and then about 10 days later my cc got used to purchase a flight. Just wanted to post it here in case that becomes an emerging trend. But you are right, it is probably a long jump on my part. Apologies in that case.
The hackageddon ocurred at the beginning of 2018 so there has been plenty of time for the hackers to punt details on the dark web. What is not known is whether your CC theft is linked to the CX hackageddon.

Given the sheer number of people's details stolen, and I very much doubt CX has at any point been truly open and honest, the probability of being informed of your details being stolen and a CC theft occuring shortly after is very high, even if the events are not connected. However, CX appears to have been 'economical with the truth'.

The HKMA publishes statistical data quarterly and at the end of 2Q2018 there were 20.06 Million CC/DC issued in Hong Kong, and CX had 9.4 Million people's details hacked. If we assume 75% of these were HK residents then the potential impact is 7.05M or approximately 35% of all CC/DC in HK. If there was a large uptick in HK CC fraud then this would suggest a correlation. At this point there are no leading indicators that this has happened. However given the sophisticated nature of the attack on CX's unsophisticated IT infrastructure the bad guys could be drip feeding stolen data into the system.

In this case as the CC was used for a service the relevant anti-fraud teams can track down those people who used the tickets quite easily. Your CC thieves won't be so dumb as to use the CC themselves, but it will help any investigation.

I should add that the UK Government has a whole cyber warfare centre dedicated to the kind of attack that hit CX and do assist global businesses. CX should have gone to the experts as soon as they realised what was happening.
Nicc HK is offline  
Reply With Quote
Old Nov 20, 18, 1:37 am
  #213  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,134
Originally Posted by kathkiwi View Post
Thanks Cambo, that is a fair point. It was just odd that I got the email and then about 10 days later my cc got used to purchase a flight. Just wanted to post it here in case that becomes an emerging trend. But you are right, it is probably a long jump on my part. Apologies in that case.
Probably unrelated coincdence.

I really beleive - to their credit - CX does not store credit card numbers after charging.
At least not for phone redemptions.
I've not been hit by a fradulent card charge for the whole year, even though I must be redeeming a reward every two weeks on average (a big rush before 22/6).

I haven't redeemed online.
But I bought ticket online (and refunded it).

Whereas, with BA, me, my wife and at least one other FTer here (if you want to identify yourself) had our cards stored in BAEC compromised and replaced. Only my wife had a transaction in the period BA advertised data was stolen for.

---

I actually am not too concerned about simple credit card fraud.
My case for instance - out of 10 attempts to fraudulently charge my card (counting from SMS), 7 triggered VbV SMS that I presume the thief cannot obtain, one charge was rejected due to size, leaving puny EUR30 and EUR10 Hostelworld.ie charges for me to charge back. Since I already replaced the card first thing when I woke up and saw the SMSes, charging back the two charges required only a phone call.

I'm more concerned aboutt an identify theft case. I've seen a thief almost make off with my mate's half mil bank account. While i don't think I've given CX enough info for anyone to pull off such a large feat, I've given enough info to CX for a thief to obtain my bank balances. I don't know what else.

Last edited by percysmith; Nov 20, 18 at 2:23 am
percysmith is online now  
Reply With Quote
Old Nov 20, 18, 1:42 am
  #214  
 
Join Date: Jan 2016
Location: LON
Programs: BAEC, Accor
Posts: 1,194
Originally Posted by Nicc HK View Post
The hackageddon ocurred at the beginning of 2018 so there has been plenty of time for the hackers to punt details on the dark web. What is not known is whether your CC theft is linked to the CX hackageddon.

Given the sheer number of people's details stolen, and I very much doubt CX has at any point been truly open and honest, the probability of being informed of your details being stolen and a CC theft occuring shortly after is very high, even if the events are not connected. However, CX appears to have been 'economical with the truth'.

The HKMA publishes statistical data quarterly and at the end of 2Q2018 there were 20.06 Million CC/DC issued in Hong Kong, and CX had 9.4 Million people's details hacked. If we assume 75% of these were HK residents then the potential impact is 7.05M or approximately 35% of all CC/DC in HK. If there was a large uptick in HK CC fraud then this would suggest a correlation. At this point there are no leading indicators that this has happened. However given the sophisticated nature of the attack on CX's unsophisticated IT infrastructure the bad guys could be drip feeding stolen data into the system.

In this case as the CC was used for a service the relevant anti-fraud teams can track down those people who used the tickets quite easily. Your CC thieves won't be so dumb as to use the CC themselves, but it will help any investigation.

I should add that the UK Government has a whole cyber warfare centre dedicated to the kind of attack that hit CX and do assist global businesses. CX should have gone to the experts as soon as they realised what was happening.
Whilst what you state above all makes sense, in practice compromised data tends not to be used as quickly as you suggest. Initial attempts to monetise stolen data are often quite high and the market quite often goes elsewhere. Over time the price will drop and more and more data gets sold on and used.

So although there is no real pattern to when compromised data surfaces it can be anything from a few hours to a few years later. I could quote many examples where compromised data get used over a year after the initial breach.
plunet is offline  
Reply With Quote
Old Nov 22, 18, 10:37 pm
  #215  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,134
Cannot presume Because Air has told us everything

BA admitted losing losing 21/4-28/7 card info as well yesterday BA Investigating Theft of Personal and Financial Data
jeweled golf club likes this.
percysmith is online now  
Reply With Quote
Old Nov 22, 18, 10:48 pm
  #216  
Suspended
 
Join Date: Oct 2017
Programs: jeweledgolfclub
Posts: 22
Originally Posted by percysmith View Post
BA admitted losing losing 21/4-28/7 card info as well yesterday BA Investigating Theft of Personal and Financial Data
I'm surprised many of you lot do not feel the urgency to give CX some sticks
jeweled golf club is offline  
Reply With Quote
Old Nov 23, 18, 2:13 am
  #217  
FlyerTalk Evangelist
 
Join Date: Aug 2002
Location: London
Programs: Mucci. Nothing else matters.
Posts: 34,904
Originally Posted by percysmith View Post
BA admitted losing losing 21/4-28/7 card info as well yesterday BA Investigating Theft of Personal and Financial Data
This was announced on 25 October 2018, not yesterday: BA Investigating Theft of Personal and Financial Data

This is also the announcement date given on the BA home page:

Globaliser is offline  
Reply With Quote
Old Nov 23, 18, 2:22 am
  #218  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,134
Originally Posted by Globaliser View Post
This was announced on 25 October 2018, not yesterday: BA Investigating Theft of Personal and Financial Data

This is also the announcement date given on the BA home page:

Yes, admitted my dates are wrong.

But still, it was some time after the first announcement; what's to stop CX from making a second announcement like BA?
percysmith is online now  
Reply With Quote
Old Nov 23, 18, 2:33 am
  #219  
FlyerTalk Evangelist
 
Join Date: Aug 2002
Location: London
Programs: Mucci. Nothing else matters.
Posts: 34,904
Originally Posted by percysmith View Post
But still, it was some time after the first announcement; what's to stop CX from making a second announcement like BA?
Nothing, I agree, if there is more to announce or more that CX decides to announce.
Globaliser is offline  
Reply With Quote
Old Nov 23, 18, 4:23 am
  #220  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,134
Originally Posted by Globaliser View Post
Nothing, I agree, if there is more to announce or more that CX decides to announce.
Hence the bigger case for Commission of Enquiry to make sure they do.
percysmith is online now  
Reply With Quote
Old Nov 23, 18, 5:18 am
  #221  
 
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 561
Originally Posted by jeweled golf club View Post
I'm surprised many of you lot do not feel the urgency to give CX some sticks
This is one of the smarter discussion boards. Personally I am waiting to discover what the end game real situation is, then assess the best options at that point and pursue them. As posted above there is likely for more to come out so best strategy is to wait until we can see the really dirty end of the stick (from Dirty Harry).

I believe CX has gone about this in an unprofessional and somewhat underhand way when revealing the real situation through the coerced drip-drip fashion they have adopted up until now. They have placed at risk many people (and I think many do not understand the risk) over a period where those whom have been put at risk could have mitigated that risk. Poor judgement.
Nicc HK is offline  
Reply With Quote
Old Nov 25, 18, 7:15 am
  #222  
FlyerTalk Evangelist
 
Join Date: Sep 2014
Programs: AC SE100K, 1MM, NH, DL, AA, GE/Nexus, APEC..
Posts: 15,281
SCMP - Sun Nov 25 2018

Collecting passenger data can help airlines’ customer service and profitability soar, but as Cathay Pacific hack shows it can be a risky strategy

https://www.scmp.com/news/hong-kong/...lines-customer
24left is offline  
Reply With Quote
Old Nov 25, 18, 8:22 am
  #223  
 
Join Date: Nov 2017
Programs: MPC-Gold, Enrich-Plat
Posts: 582
Originally Posted by 24left View Post
SCMP - Sun Nov 25 2018

Collecting passenger data can help airlines’ customer service and profitability soar, but as Cathay Pacific hack shows it can be a risky strategy
Actually, there is nothing new in that. Those with 2 feet on the ground are already telling this for ages. Collecting data [at this scale, being a private company or government] is asking for some embarrassing moments, somewhere in future, not the IF is relevant, only the WHEN it will happen.

That's called privacy and with the GDPR, the EU showed this backbone of fundamental data collection should be stopped. Companies will more and more refrain from collecting this data, simply because the [financial, fine] risks are to high.
Cambo is offline  
Reply With Quote
Old Nov 25, 18, 9:09 am
  #224  
FlyerTalk Evangelist
 
Join Date: Sep 2014
Programs: AC SE100K, 1MM, NH, DL, AA, GE/Nexus, APEC..
Posts: 15,281
Originally Posted by Cambo View Post
Actually, there is nothing new in that. Those with 2 feet on the ground are already telling this for ages. Collecting data [at this scale, being a private company or government] is asking for some embarrassing moments, somewhere in future, not the IF is relevant, only the WHEN it will happen.

That's called privacy and with the GDPR, the EU showed this backbone of fundamental data collection should be stopped. Companies will more and more refrain from collecting this data, simply because the [financial, fine] risks are to high.
Yes and no.

I work in an industry where clients collect all manner of data. If a consumer wants coupons offering a discount towards a product, companies now want you to sign up with an email address (or more info) in order to get the coupons but also possibly track purchase behavior. Sure, one can use a freemail without name, but the concept is still in place, whereas previously, you could just take a coupon off the shelf in a store.

When you go to a store or other place where you make purchases of products and services, some retailers/companies ask for your postal code. They are tracking you and sure, you can use one that does not belong to you. I have a list of other examples which I won't post here.

In the retail and packaged goods industries, consumers have little reservation about turning over some of their info, just to get free stuff. All the privacy legislation in the world won't matter when someone clicks "Accept" on a website - be it reading a newspaper (tracking), or getting discount coupons towards a purchase.

When you buy anything with a credit card, the company/bank who issues that card tracks you and the agreement to be tracked and your purchase behaviour shared is often in the fine print of the cc user agreement.

When you purchase an airline ticket, you enter your name, address, email, cc and other info like your FF #, passport and other ID.
Or, it auto-populates if you are logged into your FFP. The airline has all this data. And for reasons we all know, it will often get turned over to the U.S. or others.

There have been breaches of customer data at AC and BA and while those affected at AC were a small number, BA and CX were not. Yet, the response from those who run BA and CX has essentially been a shrug, IMHO. There have been massive breaches at Yahoo, retailers, government agencies and of course, those clowns at the credit checking agencies.

Almost all the responses have been variations of a shrug.

You can all think what you like and yes, I do not live in HK and rules in Canada are somewhat different, but if customers and consumers don't want their personal data made available to companies, they can make a choice not to turn it over. It will be very difficult with airlines if one wants to fly. It will be very difficult with government departments who dispense medical services. When they get hacked, no one really wins battling either of them.

I don't know if lawsuits will change anything as they drag on in courts for years and money doesn't replace identity theft.
So what's the choice that is left?
Not fly that airline...until the next one you fly gets hacked because they also didn't take protection of data seriously?

And apologies to those on this forum who don't like outsiders weighing in on what some think is a local issue that matters only to those who fly CX or live in HK. All of us who fly CX were affected, wherever we live.
24left is offline  
Reply With Quote
Old Nov 30, 18, 5:55 am
  #225  
 
Join Date: Nov 2017
Programs: MPC-Gold, Enrich-Plat
Posts: 582
Hahaha, Marriott/Starwood reported to have beaten CX by a huge margin. 500M accounts/bookings leaked........
Cambo is offline  
Reply With Quote

Thread Tools
Search this Thread