Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Cathay Pacific | Marco Polo Club
Reload this Page >

9.4 million passengers’ data stolen from CX

9.4 million passengers’ data stolen from CX

    Hide Wikipost
Old Nov 1, 18, 1:34 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: kaka
Wiki Link
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Print Wikipost

Reply

Old Jul 10, 19, 3:25 am
  #241  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,359
Originally Posted by garykung View Post
PCPD is weak. If you expect PCPD will do anything for you, it is more practical for you to sue CX at the Small Claims Tribunal - faster, cheaper, and effective.
If EU can whack a fine on a non-EU corporation like Marriott, can they whack a similar fine on CX (trading in EU)?
percysmith is offline  
Reply With Quote
Old Jul 10, 19, 5:51 am
  #242  
 
Join Date: Aug 2009
Location: ZOA, SFO, HKG
Programs: UA 1K 0.8MM, Marriott PLT, HHonors Gold, Hertz PC, SBux Gold, TSA Pre✓
Posts: 9,984
Originally Posted by percysmith View Post
If EU can whack a fine on a non-EU corporation like Marriott, can they whack a similar fine on CX (trading in EU)?
Maybe.

The extent of the CX data breach is very much unknown. If EC wants to rely on GDPR for fines, the data breach itself must have some relationship with Europe (this is why BA is doomed, but not necessarily Marriott).

If the data breach mostly involves the personal information of customers in Hong Kong, which sounds like the case here, then the EC will have no say on a domestic issue happened in Hong Kong.

So yes - this is primarily a PCPD issue, which you can guess what the PCPD will do.
garykung is offline  
Reply With Quote
Old Jul 10, 19, 6:35 am
  #243  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,359
Originally Posted by garykung View Post
the data breach itself must have some relationship with Europe (this is why BA is doomed, but not necessarily Marriott).

If the data breach mostly involves the personal information of customers in Hong Kong, which sounds like the case here, then the EC will have no say on a domestic issue happened in Hong Kong.
Why would the Marriott breach mostly involve EU residents? Not a domestic issue for the US?
percysmith is offline  
Reply With Quote
Old Jul 10, 19, 1:20 pm
  #244  
 
Join Date: Aug 2009
Location: ZOA, SFO, HKG
Programs: UA 1K 0.8MM, Marriott PLT, HHonors Gold, Hertz PC, SBux Gold, TSA Pre✓
Posts: 9,984
Originally Posted by percysmith View Post
Why would the Marriott breach mostly involve EU residents? Not a domestic issue for the US?
Marriott is a worldwide issue. That's why the EC can do whatever they want against Marriott.
garykung is offline  
Reply With Quote
Old Jul 10, 19, 8:37 pm
  #245  
Ambassador, Hong Kong and Macau
 
Join Date: May 2009
Location: HKG
Programs: Depends
Posts: 14,359
Originally Posted by garykung View Post
Marriott is a worldwide issue. That's why the EC can do whatever they want against Marriott.
And CX is a carrier selling fares to EU residents
percysmith is offline  
Reply With Quote
Old Jul 11, 19, 2:07 pm
  #246  
 
Join Date: Aug 2009
Location: ZOA, SFO, HKG
Programs: UA 1K 0.8MM, Marriott PLT, HHonors Gold, Hertz PC, SBux Gold, TSA Pre✓
Posts: 9,984
Originally Posted by percysmith View Post
And CX is a carrier selling fares to EU residents
Yes... but where is CX data stored?
garykung is offline  
Reply With Quote
Old Jul 11, 19, 2:39 pm
  #247  
 
Join Date: Jan 2016
Location: LON
Programs: BAEC, Accor
Posts: 1,324
Originally Posted by garykung View Post
Yes... but where is CX data stored?
Doesn't matter where the data is stored. If it includes the personal data of EU citizens then it is in scope for EU GDPR regulations.
plunet is offline  
Reply With Quote
Old Jul 11, 19, 2:45 pm
  #248  
 
Join Date: Aug 2009
Location: ZOA, SFO, HKG
Programs: UA 1K 0.8MM, Marriott PLT, HHonors Gold, Hertz PC, SBux Gold, TSA Pre✓
Posts: 9,984
Originally Posted by plunet View Post
Doesn't matter where the data is stored. If it includes the personal data of EU citizens then it is in scope for EU GDPR regulations.
But how many of them?
garykung is offline  
Reply With Quote
Old Jul 12, 19, 3:50 am
  #249  
 
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 591
Originally Posted by plunet View Post
Doesn't matter where the data is stored. If it includes the personal data of EU citizens then it is in scope for EU GDPR regulations.
Actually it does, and I have first hand experience of this. I will give you a scenario, GDPR cannot be enforced on an HK based company whose servers are in HK and which has no physical or other presence within the EU, simply because HK courts will not enforce EU laws on an extra-territorial basis.

Now CX has operations and presence in the EU which includes the processing of information relating to citizens of EU members which takes place within those EU members. As with Marriott, an EU member state can well act proportionatly.
Nicc HK is offline  
Reply With Quote
Old Jul 12, 19, 4:15 am
  #250  
FlyerTalk Evangelist
 
Join Date: Aug 2002
Location: London
Programs: Mucci. Nothing else matters.
Posts: 35,446
Originally Posted by Nicc HK View Post
I will give you a scenario, GDPR cannot be enforced on an HK based company whose servers are in HK and which has no physical or other presence within the EU, simply because HK courts will not enforce EU laws on an extra-territorial basis.
But surely this would not stop a fine being enforced against the HK-based company? After all, the particular HK-based company in question has some rather valuable assets within the EU. From time to time, but for long enough on each occasion for them to be seized.
Globaliser is offline  
Reply With Quote
Old Jul 12, 19, 4:18 am
  #251  
 
Join Date: Jan 2016
Location: LON
Programs: BAEC, Accor
Posts: 1,324
Originally Posted by Nicc HK View Post
Actually it does, and I have first hand experience of this. I will give you a scenario, GDPR cannot be enforced on an HK based company whose servers are in HK and which has no physical or other presence within the EU, simply because HK courts will not enforce EU laws on an extra-territorial basis.

Now CX has operations and presence in the EU which includes the processing of information relating to citizens of EU members which takes place within those EU members. As with Marriott, an EU member state can well act proportionatly.
Agree in part with what you say Nicc HK - if a company operating overseas does not expect or solicit interaction with EU residents then they do not need to comply with GDPR although they probably should because the principles that are mandated by GDPR are a good thing to do for any personal data. Some more background reading on this here.

Whether the law could be invoked against a HK company with no presence in the EU is another question, but the GDPR regulations are extra-terrestrial and apply globally.

But in the context of CX and Marriott then it definitely does apply, and to that extent it doesn't matter where the data resides.
plunet is offline  
Reply With Quote
Old Jul 12, 19, 4:27 am
  #252  
 
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 591
Originally Posted by Globaliser View Post
But surely this would not stop a fine being enforced against the HK-based company? After all, the particular HK-based company in question has some rather valuable assets within the EU. From time to time, but for long enough on each occasion for them to be seized.
You are right and this is what I said.
Nicc HK is offline  
Reply With Quote
Old Jul 12, 19, 4:33 am
  #253  
 
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 591
Originally Posted by plunet View Post
Agree in part with what you say Nicc HK - if a company operating overseas does not expect or solicit interaction with EU residents then they do not need to comply with GDPR although they probably should because the principles that are mandated by GDPR are a good thing to do for any personal data. Some more background reading on this here.

Whether the law could be invoked against a HK company with no presence in the EU is another question, but the GDPR regulations are extra-terrestrial and apply globally.

But in the context of CX and Marriott then it definitely does apply, and to that extent it doesn't matter where the data resides.
Therein lies the problem to be applied on an extra-territorial (I like your assertion they can be applied across the universe) basis there must be assets which can be impacted within the EU. Which is the point I am trying to get across.

It does raise interesting questions as to whether an EU member state citizen was affected but was not inside the EU at the time the infringement occurred?

I do apologise I do contracts and IPRs for a living, so these issues are directly relevant to my work and I appreciate the comments people write here for their different perspectives.

Last edited by Nicc HK; Jul 12, 19 at 6:17 am
Nicc HK is offline  
Reply With Quote
Old Jul 12, 19, 5:04 am
  #254  
:D!
IHG Contributor BadgeHilton Contributor Badge
 
Join Date: Sep 2012
Location: Aberdeen, Bella Vista and Croydon
Programs: BA Spire, Hilton *G, A3 Diamond, IHG Silver
Posts: 4,227
In the most extreme scenario CX could simply be barred from operating to the EU if it refused to pay any fine.

If CX did not operate in the EU, it could still fall afoul of the GDPR if it handled EU passengers' data improperly, but there would not be much recourse if it didn't pay.

This is akin to the case where a Danish citizen purchased Cuban cigars from Germany, but unfortunately the bank transfer went through US banks and was seized due to the US embargo. The US could not normally enforce its embargo outside the US, but the participants unwittingly involved the US and suffered for it.
:D! is offline  
Reply With Quote

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Thread Tools
Search this Thread