Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Cathay Pacific | Marco Polo Club
Reload this Page >

9.4 million passengers’ data stolen from CX

9.4 million passengers’ data stolen from CX

    Hide Wikipost
Old Nov 1, 18, 1:34 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: kaka
Wiki Link
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Print Wikipost

Reply

Old Oct 24, 18, 8:51 pm
  #16  
 
Join Date: Aug 2014
Location: YYZ
Programs: Marriott/SPG, BR, CX, Aeroplan
Posts: 398
I don't think Cathay's IT heads deserve all the blame. Most corporations think of IT as an expense that should be minimized, and Cathay has already been cutting costs across the board, heavily. There's not much IT can do if they're extremely understaffed and under budget. The fact that IT continues to be lacklustre despite personnel change seem to suggest the issue is more than just incompetence on the part of the IT department leadership.
Dave510 is online now  
Reply With Quote
Old Oct 24, 18, 9:22 pm
  #17  
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,944
Originally Posted by SuloL View Post
This is a really worrying trend, and 7 months for notification is totally unacceptable. Perhaps a lot of people affected were EU citizens and EU could slap CX with a good fine?

Now I'm thinking if my situation is related, where AM has done a grande f**k-up recently.

Called in the other day to book awards, agent started verification. When asked about passport issuing country (been asked and have answered this many times before) she told me my answer was wrong! She claimed that my passport nationality should be HK. Never even had a HK passport! And the last time I booked awards (1month back) my answer to the issuing country (the real one) was good to go. Wondering what the hell is going on with their customer data mgmt...
yes
any bno holders (or expired once as long as you did not renounce it) can do this on top of the normal suspects of eu28 passport holders
kaka is offline  
Reply With Quote
Old Oct 24, 18, 9:28 pm
  #18  
 
Join Date: Dec 2001
Location: China
Posts: 1,481
If you look at the org chart, there is no CIO/ Director IT anymore. The IT general managers report direct to CCO (Chief Commercial Officer) Who is also in charge of sales/ marketing/ cargo/ customer experience...
peasant is offline  
Reply With Quote
Old Oct 24, 18, 9:56 pm
  #19  
 
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 561
Bl**dy CX

Now I am seriously annoyed, just recieved this from CX

Dear Mr Nicc
We are contacting you to make you aware of a data security event that involves some of your personal data. We are very sorry for any concern that this event may cause you, and this notice will provide you with information about what happened and how we can assist you.

What happened?

As part of our ongoing IT security processes, we discovered unauthorised access to some of our passenger data.

We initially discovered suspicious activity on our network in March this year. Upon discovery, we took immediate action to contain the event, to commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures. Unauthorised access to certain personal data was confirmed in early May. Since that time, analysis of the data has continued in order to identify affected individuals and to determine whether the data at issue could be reconstructed.

We have no evidence that any personal data has been misused. We recommend that you follow the steps outlined in this notice to help protect yourself against potential risks.
What information was involved?

The following types of personal data about you were accessed:
  • HKID Number
  • Name
  • Nationality
  • Title
  • Travel Document Number
Your travel or loyalty profile was not accessed in full, and your password was not compromised.
What are we doing to help?

You can find more information at our dedicated website, infosecurity.cathaypacific.com.

Where available in your country, we are offering ID monitoring services to affected passengers. This will be provided by Experian, a global data and information service provider. This service (IdentityWorks Global Internet Surveillance) monitors if your personal data may be available on public websites, chat rooms, blogs, and non-public places on the internet where data can be compromised such as dark web sites.

This is an optional service, and how much information to include in the identity monitoring is completely at your discretion.

The information you provide to Experian will only be used by Experian for the sole purposes of identity monitoring. It will not be published to any other entity.

Please visit the following website: http://www.globalidworks.com/identity1 and click the Get Started button to activate this 12 month complimentary service. You can then enter your personalized activation code: SCREW CX to start your IdentityWorks Global Internet Surveillance.

We have notified, or are notifying, the relevant authorities and the Hong Kong Police.

What should I do?

Although no-one’s travel or loyalty profile was accessed in full and no passwords were compromised, as best practice, we recommend that you consider:
  • changing your passwords regularly;
  • checking for any suspicious activity; and
  • being vigilant against phishing or other attempted scams.

To date, there is no evidence of misuse. However, it is possible that the personal data could be misused for unauthorised purposes such as fraud or identity theft.

As mentioned above and where available in your country, we are offering ID monitoring services to affected passengers. Please visit the following website : http://www.globalidworks.com/identity1 and click the Get Started button to activate this 12 month complimentary service using your personalized activation code above.


For more information

If you have any further questions about the event, you can contact us by:
  • visiting our dedicated website at infosecurity.cathaypacific.com;
  • call our dedicated call centre (toll free numbers available at infosecurity.cathaypacific.com); or
  • emailing us at [email protected].
We want to reassure you that there is no impact on flight safety as the IT systems affected are totally separate from our flight operations systems, and that we continue to take measures to enhance our IT security. Your safety and security remains our top priority.


Yours sincerely,

Rupert Hogg
Chief Executive Officer
Cathay Pacific Airways Limited

For your information:

Asia Miles is owned by, and provided to members by Cathay Pacific Airways Limited, and is managed and operated by Asia Miles Limited, a wholly owned subsidiary of Cathay Pacific Airways Limited, as an agent of Cathay Pacific Airways Limited.

Hong Kong Dragon Airlines Limited is a wholly owned subsidiary of Cathay Pacific Airways Limited and Cathay Pacific Airways Limited manages and provides IT support services to Hong Kong Dragon Airlines Limited.

The ID Monitoring Services are available in Australia, Brazil, Canada, France, Germany, Hong Kong, India, Ireland, Italy, Mexico, Netherlands, New Zealand, Norway, Poland, Singapore, United Kingdom and United States.

Last edited by Nicc HK; Oct 24, 18 at 10:01 pm
Nicc HK is offline  
Reply With Quote
Old Oct 24, 18, 10:30 pm
  #20  
 
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,029
Looks like a lot of DMs are affected....I guess we get priority also when our data get stolen
FlyPointyEnd is offline  
Reply With Quote
Old Oct 24, 18, 10:43 pm
  #21  
 
Join Date: Aug 2005
Location: Hong Kong
Programs: QF Platinum, Former CX Diamond, TG Gold, HH Diamond, IHG Spire Ambassador, Amex Platinum
Posts: 167
I think that's it for CX for me. 14 years as a DM and the airline is not even a shadow of its former self. I can put up with the declining soft and hard DM benefits, the bad food and bad wine but will not tolerate what appears to be such a blase attitude to the breach of personal data security. Seven months? Bye CX.
frankyguy is offline  
Reply With Quote
Old Oct 24, 18, 11:30 pm
  #22  
 
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,029
Originally Posted by Nicc HK View Post
The ID Monitoring Services are available in Australia, Brazil, Canada, France, Germany, Hong Kong, India, Ireland, Italy, Mexico, Netherlands, New Zealand, Norway, Poland, Singapore, United Kingdom and United States.
so what happens if the ID Monitoring Services is not available?
FlyPointyEnd is offline  
Reply With Quote
Old Oct 24, 18, 11:37 pm
  #23  
 
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 561
What gets me is that these arses knew for months and said nothing. That means through their incompetence/negligence we have all been put at unknowing and unnecessary risk. CX should have advised affected people as soon as they knew.

I am going to discuss this with lawyers.

Last edited by Nicc HK; Oct 24, 18 at 11:44 pm
Nicc HK is offline  
Reply With Quote
Old Oct 24, 18, 11:53 pm
  #24  
 
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,029
Originally Posted by Nicc HK View Post
What gets me is that these arses knew for months and said nothing. That means through their incompetence/negligence we have all been put at unknowing and unnecessary risk. CX should have advised affected people as soon as they knew.

I am going to discuss this with lawyers.
Class action?
kaka, blum81 and AmD950 like this.
FlyPointyEnd is offline  
Reply With Quote
Old Oct 24, 18, 11:53 pm
  #25  
 
Join Date: May 2016
Location: HKG
Programs: CX DM, Shangri-La Jade, Fairmont PC, APEC
Posts: 81
Got the same email as Nicc.

I’m quite angry with the 7 months notice to the public to be honest.

If there was a breach to my very personal data that I have entrusted a company to, I would expect to be notified after a considerate time when due dilligince and verification of breach has been completed. Im sure there are GDPR consequences cause of this.

7 months after the fact is a blatant attempt to hide it under the rug and the justification for the delay is to “avoid causing unnecessary panic among customers” is simply BS.

Over the past year(s) I’m really finding it hard to see if the airline has actually done any good for its customers or has actually kept us a priority for management decisions.
Nicc HK, HarbourGent and marcommm like this.
fast03 is offline  
Reply With Quote
Old Oct 24, 18, 11:54 pm
  #26  
 
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,029
Originally Posted by fast03 View Post
Got the same email as Nicc.

I’m quite angry with the 7 months notice to the public to be honest.

If there was a breach to my very personal data that I have entrusted a company to, I would expect to be notified after a considerate time when due dilligince and verification of breach has been completed. Im sure there are GDPR consequences cause of this.

7 months after the fact is a blatant attempt to hide it under the rug and the justification for the delay is to “avoid causing unnecessary panic among customers” is simply BS.

Over the past year(s) I’m really finding it hard to see if the airline has actually done any good for its customers or has actually kept us a priority for management decisions.
I agree, they did admit that they confirmed it in May, it still took them 5 months to disclose the matter.

Last edited by FlyPointyEnd; Oct 25, 18 at 12:00 am
FlyPointyEnd is offline  
Reply With Quote
Old Oct 25, 18, 12:12 am
  #27  
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,944
Originally Posted by FlyPointyEnd View Post
I agree, they did admit that they confirmed it in May, it still took them 5 months to disclose the matter.
spoke w some tech ppl and lawyer people.

if you read between the lines, they did not say they were hacked (read BA on 7sept). and that they had “too many” IT contractors.

seems like they got some dodgy contractors.

and if you look at the scope of what info was leaked, pax info (we as ffp are worried) and past travel records. not so much of cc info (so they may not be after the money)...
kaka is offline  
Reply With Quote
Old Oct 25, 18, 12:22 am
  #28  
 
Join Date: Jan 2016
Location: LON
Programs: BAEC, Accor
Posts: 1,194
Originally Posted by cathaychap View Post
I believe what Cathay is saying is that nobody has had their full profile taken. It's more bits of data taken. Like a few numbers of a passport and half an email address. At any rate, visit infosecurity.cathaypacific.com if concerned. The good thing is that CX, unlike BA, has a coordinated response to the threat. I had to cancel two credit cards with the BA thing.
I really have to disagree. BA at least notified the affected customers promptly and although the news of the loss was unpalatable they managed to pull off the notification quickly, how some of the card issuers have responded to the breach has been haphazard but that is not BAs direct fault.

Cathay have been sitting on this for 7 months and have been irresponsible in their inaction and for EU citizens would have automatically been guilty of an unnecessary delay if the breach had happened since GDPR had been inacted.
plunet is offline  
Reply With Quote
Old Oct 25, 18, 12:25 am
  #29  
 
Join Date: Mar 2012
Location: Vancouver, Manila, Singapore, Kuala Lumpur, Hong Kong
Programs: CX-DM, Marriott Gold, Fairmont Premier
Posts: 195
Originally Posted by plunet View Post
I really have to disagree. BA at least notified the affected customers promptly and although the news of the loss was unpalatable they managed to pull off the notification quickly, how some of the card issuers have responded to the breach has been haphazard but that is not BAs direct fault.

Cathay have been sitting on this for 7 months and have been irresponsible in their inaction and for EU citizens would have automatically been guilty of an unnecessary delay if the breach had happened since GDPR had been inacted.

Agree. a lot can happen in 7 months. Customers could have taken their own precautions to protect themselves such as canceling credit cards, replacing passports, or even doing their own credit and ID checks.
blum81 is offline  
Reply With Quote
Old Oct 25, 18, 12:36 am
  #30  
sxc
Moderator, Cathay Pacific
Accor Contributor Badge
 
Join Date: Dec 2004
Programs: CX MPC Silver, BAEC Gold (OWE), Hyatt
Posts: 9,425
No wonder the lounges are so crowded, with all this data for identity theft
sxc is offline  
Reply With Quote

Thread Tools
Search this Thread