Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Cathay Pacific | Marco Polo Club
Reload this Page >

9.4 million passengersí data stolen from CX

9.4 million passengersí data stolen from CX

    Hide Wikipost
Old Nov 1, 18, 1:34 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: kaka
Wiki Link
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Print Wikipost

Old Oct 25, 18, 9:38 am
  #76  
 
Join Date: Oct 2014
Location: HKG
Posts: 1,052
Originally Posted by Gongzuokuang View Post
To those that have received the emailed notification, can one of you confirm if it comes from the same Marco Polo email address? I want to make sure my spam filters whitelist the address if it is something different.
It comes from [email protected]

Just received it for a second time within an 8 hour period. All content same.
gpia is offline  
Old Oct 25, 18, 10:03 am
  #77  
 
Join Date: Jan 2000
Posts: 3,145
I'm 4/4 accounts breached. With 9.4mn accounts breached in total, it's probably a safe bet that practically everyone on this board who has taken a CX/KA flight in the past few years will get the dreaded email.
fallinasleep is offline  
Old Oct 25, 18, 10:33 am
  #78  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
More emails coming in. for a family member.
  • HKID Number
  • Name
  • Telephone Number
  • Title
kaka is offline  
Old Oct 25, 18, 10:51 am
  #79  
Suspended
 
Join Date: Jun 2002
Location: Hong Kong
Programs: None any more
Posts: 11,015
Name and address are public information if you're registered as a voter. HKID is an identifier just like your name, not an authenticator, so no issue for me in those being public.

I'd be a bit pissed off about passport number and DOB being out there, although many people publish the latter on their Facebook pages anyway.

I really don't see this as a big deal from a personal ID security point of view.

It's poor IT security by CX, but I guess this was some sort of phishing attack that got a staff member's password - there must be thousands of CX people, including contractors, in many countries who have access to all this data.

I actually think the way they have managed it isn't at all bad given that no passwords were exposed. I would hope that, perhaps without us noticing it, since May the stolen information has not been sufficient to do anything major with the affected accounts without further authentication.
christep is offline  
Old Oct 25, 18, 11:02 am
  #80  
 
Join Date: Oct 2018
Posts: 414
Seems BA and CX are trying to out do each other:

Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.

The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card.

While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.

In addition, from the investigation we know that fewer of the customers we originally announced were impacted. Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.

We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.
londonexpert is offline  
Old Oct 25, 18, 11:07 am
  #81  
 
Join Date: May 2016
Location: HKG
Programs: CX DM, SQ Gold
Posts: 81
Originally Posted by christep View Post
Name and address are public information if you're registered as a voter. HKID is an identifier just like your name, not an authenticator, so no issue for me in those being public.

I'd be a bit pissed off about passport number and DOB being out there, although many people publish the latter on their Facebook pages anyway.

I really don't see this as a big deal from a personal ID security point of view.

It's poor IT security by CX, but I guess this was some sort of phishing attack that got a staff member's password - there must be thousands of CX people, including contractors, in many countries who have access to all this data.

I actually think the way they have managed it isn't at all bad given that no passwords were exposed. I would hope that, perhaps without us noticing it, since May the stolen information has not been sufficient to do anything major with the affected accounts without further authentication.
Not necessarily "not a big deal" IMHO.

Last time I called Marco Polo to transact some business, all they needed to verify me was my HKID, contact number, email address and my passport nationality, all of which was reported to me earlier as having been stolen...
fast03 is offline  
Old Oct 25, 18, 11:08 am
  #82  
 
Join Date: Oct 2018
Posts: 414
I know it is a BIG hassle, and I really prefer not to, but maybe MPO needs to reissue MPO numbers to all affected members?
kaka likes this.
londonexpert is offline  
Old Oct 25, 18, 11:12 am
  #83  
 
Join Date: Jul 2000
Location: ey class
Posts: 245
And CX host a hackathon....

"We will host a series of exciting activities on location at Cathay Pacificís headquarters, leading up to the 24-hour Hackathon. You'll be able to gain an exclusive insider understanding of our airline operations...."

maybe this was done during one of these events....
gear down is offline  
Old Oct 25, 18, 11:13 am
  #84  
Suspended
 
Join Date: Jun 2002
Location: Hong Kong
Programs: None any more
Posts: 11,015
Originally Posted by fast03 View Post
Last time I called Marco Polo to transact some business, all they needed to verify me was my HKID, contact number, email address and my passport nationality, all of which was reported to me earlier as having been stolen...
This to me is the problem. None of those are good authenticators. Basic systems security is very clear on identfiers and authenticators. As far as I can tell, what has been accessed are various identifiers.

The problem, and this is longstanding, is that Cathay (and many, many other organisations) use identfiers as pseudo-authenticators. And this is bad.

The banking world seems to have got to grips with this with 2-factor authentication (although I am not at all comfortable with some of the mobile phone banking stuff).
christep is offline  
Old Oct 25, 18, 11:15 am
  #85  
Suspended
 
Join Date: Jun 2002
Location: Hong Kong
Programs: None any more
Posts: 11,015
Originally Posted by gear down View Post
And CX host a hackathon....

"We will host a series of exciting activities on location at Cathay Pacificís headquarters, leading up to the 24-hour Hackathon. You'll be able to gain an exclusive insider understanding of our airline operations...."

maybe this was done during one of these events....
Far, far more likely is that somebody offered a probably quite trivial amount of money to get access to the systems outsourced in The Philippines or China or India.
kaka likes this.
christep is offline  
Old Oct 25, 18, 11:22 am
  #86  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
Originally Posted by christep View Post
Name and address are public information if you're registered as a voter. HKID is an identifier just like your name, not an authenticator, so no issue for me in those being public.

I'd be a bit pissed off about passport number and DOB being out there, although many people publish the latter on their Facebook pages anyway.

I really don't see this as a big deal from a personal ID security point of view.

It's poor IT security by CX, but I guess this was some sort of phishing attack that got a staff member's password - there must be thousands of CX people, including contractors, in many countries who have access to all this data.

I actually think the way they have managed it isn't at all bad given that no passwords were exposed. I would hope that, perhaps without us noticing it, since May the stolen information has not been sufficient to do anything major with the affected accounts without further authentication.
yes and no. i dont think the address is public as such. everyone can access it at HAD/EAC but you cant take a photo and run around with it. HKID works as well as passport number in HK. it's what you use to access bank accounts over the phone with a few other details - sometimes DOB address and phone number, occasionally a few more obscure questions (thank god i use an alternative mobile number for CX/MPO). not everyone throws DOB on facebook, AND tbh this is how some people has their last piece of personal details thrown away for scammers to catch.
and all this is if CX told us everything about the truth.

Also, i wonder which part of the DB get caught out. I know some people has dummy MPO/registered accounts for all sort of purposes and even those are lost - so not like the reason of lost is through purchases/redemptions.

Originally Posted by christep View Post
Far, far more likely is that somebody offered a probably quite trivial amount of money to get access to the systems outsourced in The Philippines or China or India.
i agree, and got caught out in an argument where some semi public figure said the same and was accused of being racist.

However, 2 pieces of info that CX didnt talk much about is 1) membership numbers (this is SURELY compromised... see above about accounts that was never used in ticketed bookings), and 2) travel history.
kaka is offline  
Old Oct 25, 18, 11:24 am
  #87  
 
Join Date: Apr 2000
Posts: 2,465
Well, I have received 3 emails from CX in the last 2 days: Deal of the Month & credit card offers. I'm not an MPO nor Aisa Miles member and the last paid ticket was part of a RTW ticket in Feb 2018. Before that Oct 2015. I wonder if I should be concerned being in the USA.
headinclouds is offline  
Old Oct 25, 18, 11:26 am
  #88  
 
Join Date: Dec 2015
Location: YUL/LHR/HKG
Programs: TK Gold
Posts: 325
Is it possible to do a class action against them? Or any recourse there is?
tobiashenry is offline  
Old Oct 25, 18, 11:28 am
  #89  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
Originally Posted by christep View Post
This to me is the problem. None of those are good authenticators. Basic systems security is very clear on identfiers and authenticators. As far as I can tell, what has been accessed are various identifiers.

The problem, and this is longstanding, is that Cathay (and many, many other organisations) use identfiers as pseudo-authenticators. And this is bad.

The banking world seems to have got to grips with this with 2-factor authentication (although I am not at all comfortable with some of the mobile phone banking stuff).
at least more are doing away with SMS....
kaka is offline  
Old Oct 25, 18, 11:30 am
  #90  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
Originally Posted by tobiashenry View Post
Is it possible to do a class action against them? Or any recourse there is?
not in HK. seeing you're in london you might fare better IF brexit fails. the EU courts are the most consumer friendly for now. after that it's the US (but it would probably cost even more)
kaka is offline  

Thread Tools
Search this Thread
Search Engine: