I don't think Cathay's IT heads deserve all the blame. Most corporations think of IT as an expense that should be minimized, and Cathay has already been cutting costs across the board, heavily. There's not much IT can do if they're extremely understaffed and under budget. The fact that IT continues to be lacklustre despite personnel change seem to suggest the issue is more than just incompetence on the part of the IT department leadership.

If you look at the org chart, there is no CIO/ Director IT anymore. The IT general managers report direct to CCO (Chief Commercial Officer) Who is also in charge of sales/ marketing/ cargo/ customer experience...

Bl**dy CX
 

Now I am seriously annoyed, just recieved this from CX

Dear Mr Nicc
We are contacting you to make you aware of a data security event that involves some of your personal data. We are very sorry for any concern that this event may cause you, and this notice will provide you with information about what happened and how we can assist you.

What happened?

As part of our ongoing IT security processes, we discovered unauthorised access to some of our passenger data.

We initially discovered suspicious activity on our network in March this year. Upon discovery, we took immediate action to contain the event, to commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures. Unauthorised access to certain personal data was confirmed in early May. Since that time, analysis of the data has continued in order to identify affected individuals and to determine whether the data at issue could be reconstructed.

We have no evidence that any personal data has been misused. We recommend that you follow the steps outlined in this notice to help protect yourself against potential risks.
What information was involved?

The following types of personal data about you were accessed:

• HKID Number
• Name
• Nationality
• Title
• Travel Document Number

Your travel or loyalty profile was not accessed in full, and your password was not compromised.
What are we doing to help?

You can find more information at our dedicated website, infosecurity.cathaypacific.com.

Where available in your country, we are offering ID monitoring services to affected passengers. This will be provided by Experian, a global data and information service provider. This service (IdentityWorks Global Internet Surveillance) monitors if your personal data may be available on public websites, chat rooms, blogs, and non-public places on the internet where data can be compromised such as dark web sites.

This is an optional service, and how much information to include in the identity monitoring is completely at your discretion.

The information you provide to Experian will only be used by Experian for the sole purposes of identity monitoring. It will not be published to any other entity.

Please visit the following website: http://www.globalidworks.com/identity1 and click the Get Started button to activate this 12 month complimentary service. You can then enter your personalized activation code: SCREW CX to start your IdentityWorks Global Internet Surveillance.

We have notified, or are notifying, the relevant authorities and the Hong Kong Police.

What should I do?

Although no-one’s travel or loyalty profile was accessed in full and no passwords were compromised, as best practice, we recommend that you consider:

• changing your passwords regularly;
• checking for any suspicious activity; and
• being vigilant against phishing or other attempted scams.

To date, there is no evidence of misuse. However, it is possible that the personal data could be misused for unauthorised purposes such as fraud or identity theft.

As mentioned above and where available in your country, we are offering ID monitoring services to affected passengers. Please visit the following website : http://www.globalidworks.com/identity1 and click the Get Started button to activate this 12 month complimentary service using your personalized activation code above.

For more information

If you have any further questions about the event, you can contact us by:

• visiting our dedicated website at infosecurity.cathaypacific.com;
• call our dedicated call centre (toll free numbers available at infosecurity.cathaypacific.com); or
• emailing us at [email protected].

We want to reassure you that there is no impact on flight safety as the IT systems affected are totally separate from our flight operations systems, and that we continue to take measures to enhance our IT security. Your safety and security remains our top priority.


Yours sincerely,

Rupert Hogg
Chief Executive Officer
Cathay Pacific Airways Limited
For your information:

Asia Miles is owned by, and provided to members by Cathay Pacific Airways Limited, and is managed and operated by Asia Miles Limited, a wholly owned subsidiary of Cathay Pacific Airways Limited, as an agent of Cathay Pacific Airways Limited.

Hong Kong Dragon Airlines Limited is a wholly owned subsidiary of Cathay Pacific Airways Limited and Cathay Pacific Airways Limited manages and provides IT support services to Hong Kong Dragon Airlines Limited.

The ID Monitoring Services are available in Australia, Brazil, Canada, France, Germany, Hong Kong, India, Ireland, Italy, Mexico, Netherlands, New Zealand, Norway, Poland, Singapore, United Kingdom and United States.

Looks like a lot of DMs are affected....I guess we get priority also when our data get stolen

I think that's it for CX for me. 14 years as a DM and the airline is not even a shadow of its former self. I can put up with the declining soft and hard DM benefits, the bad food and bad wine but will not tolerate what appears to be such a blase attitude to the breach of personal data security. Seven months? Bye CX.

so what happens if the ID Monitoring Services is not available?

What gets me is that these arses knew for months and said nothing. That means through their incompetence/negligence we have all been put at unknowing and unnecessary risk. CX should have advised affected people as soon as they knew.

I am going to discuss this with lawyers.

Class action?

I agree, they did admit that they confirmed it in May, it still took them 5 months to disclose the matter.

I really have to disagree. BA at least notified the affected customers promptly and although the news of the loss was unpalatable they managed to pull off the notification quickly, how some of the card issuers have responded to the breach has been haphazard but that is not BAs direct fault.

Cathay have been sitting on this for 7 months and have been irresponsible in their inaction and for EU citizens would have automatically been guilty of an unnecessary delay if the breach had happened since GDPR had been inacted.

Agree. a lot can happen in 7 months. Customers could have taken their own precautions to protect themselves such as canceling credit cards, replacing passports, or even doing their own credit and ID checks.

No wonder the lounges are so crowded, with all this data for identity theft :D