Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Cathay Pacific | Marco Polo Club
Reload this Page >

9.4 million passengers’ data stolen from CX

9.4 million passengers’ data stolen from CX

    Hide Wikipost
Old Nov 1, 18, 1:34 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: kaka
Wiki Link
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Print Wikipost

Reply

Old Oct 25, 18, 10:31 am
  #91  
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,944
Originally Posted by headinclouds View Post
Well, I have received 3 emails from CX in the last 2 days: Deal of the Month & credit card offers. I'm not an MPO nor Aisa Miles member and the last paid ticket was part of a RTW ticket in Feb 2018. Before that Oct 2015. I wonder if I should be concerned being in the USA.
i'm just saying but seeing that not many CC was compromised AND some has never-used MPO accounts compromised, it might be MPO accounts that's problematic, not non-member fliers.
kaka is offline  
Reply With Quote
Old Oct 25, 18, 10:32 am
  #92  
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,944
Originally Posted by londonexpert View Post
Seems BA and CX are trying to out do each other:

Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.

The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card.

While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.

In addition, from the investigation we know that fewer of the customers we originally announced were impacted. Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.

We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.
when was this!?!?!!?!?
sorry: 2 hours ago...

Last edited by kaka; Oct 25, 18 at 10:45 am
kaka is offline  
Reply With Quote
Old Oct 25, 18, 10:36 am
  #93  
 
Join Date: Oct 2018
Posts: 300
Originally Posted by kaka View Post
when was this!?!?!!?!?
today:

IAG Printer Friendly Version - News Release
kaka likes this.
londonexpert is offline  
Reply With Quote
Old Oct 25, 18, 10:39 am
  #94  
FlyerTalk Evangelist
 
Join Date: Jun 2002
Location: Hong Kong
Programs: None any more
Posts: 10,708
Originally Posted by tobiashenry View Post
Is it possible to do a class action against them? Or any recourse there is?
No class actions in HK. And in any case you would need to prove some loss. You would think that if anyone had actually suffered any financial loss from this information being copied then it would be in the press by now.

Your paranoia about other people knowing your name, HKID, address and DOB (none of which is actually secret) is not cause for a class action IMHO.
christep is offline  
Reply With Quote
Old Oct 25, 18, 11:03 am
  #95  
 
Join Date: Dec 2001
Location: New York, NY
Programs: LH Senator, CX Diamond
Posts: 575
These [expletive] at Cathay Pacific Cathay Pathetic have the gall to draft communications with phrases like:

"We are contacting you to make you aware of a data security event that involves some of your personal data. We are very sorry for any concern that this event may cause you, and this notice will provide you with information about what happened and how we can assist you."

A data security event is a data security conference or convention. An event is the HK Sevens. This is a data privacy breach and these [expletive] can't even / don't even have enough respect and decency for their customers to be candid about describing what has happened.

Even the subject line of the email I received was "Important information about your personal data" not Notice of Breach of Your Data Privacy or something clearer.

The email I received this morning stated the following types of personal data about me were accessed:
  • Date of Birth
  • Email Address
  • Name
  • Nationality
  • Telephone Number
  • Title
  • Travel Document Number
Your travel or loyalty profile was not accessed in full, and your password was not compromised.
Mr. Strong is offline  
Reply With Quote
Old Oct 25, 18, 11:08 am
  #96  
 
Join Date: Aug 2016
Location: Hong Kong
Programs: CX DM (OWE), TK Elite (*A Gold)
Posts: 138
I have received two identical emails on this topic in the last 45 minutes - thank you Rupert, I heard you the first time.
What is a major concern is they are not stating what parts of our travel/ loyalty profile were accessed. Anyone signed up to the IdentityWorks service?
beach86 is offline  
Reply With Quote
Old Oct 25, 18, 11:25 am
  #97  
 
Join Date: Dec 2001
Location: New York, NY
Programs: LH Senator, CX Diamond
Posts: 575
Originally Posted by FlyPointyEnd View Post
so what happens if the ID Monitoring Services is not available?
For those affected in the Philippines, CX should be covered by Republic Act 10173 - Data Privacy Act of 2012 (DPA). https://www.privacy.gov.ph/data-privacy-act/
For extraterritorial application of the DPA, see https://www.privacy.gov.ph/data-privacy-act/#6

If my understanding is correct, given the extent and size of CX's business in the Philippines, it has to comply with the DPA and its Implementing Rules and Regulations and thus would have to have a Data Privacy Officer (DPO) in the Philippines. Hopefully that DPO should answer what kind of ID Monitoring Services are available. If you can't get a hold of the DPO for CX in the Philippines, I suggest that you reach out to Rob Bradshaw, CX Philippines Country Manager and apply some pressure on him to get an answer.
Mr. Strong is offline  
Reply With Quote
Old Oct 25, 18, 11:30 am
  #98  
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,944
Originally Posted by beach86 View Post
What is a major concern is they are not stating what parts of our travel/ loyalty profile were accessed.
indeed...
Anyone signed up to the IdentityWorks service?
i did
kaka is offline  
Reply With Quote
Old Oct 25, 18, 11:33 am
  #99  
FlyerTalk Evangelist
 
Join Date: Jun 2002
Location: Hong Kong
Programs: None any more
Posts: 10,708
I'd just like to point out that if you were a hacker aiming at identity theft then someone like IdentityWorks would be your #1 target.

I'm not convinced that the best approach to someone maybe having some of your personal identifiers is to share them all with yet another company who must be high risk.
christep is offline  
Reply With Quote
Old Oct 25, 18, 12:31 pm
  #100  
 
Join Date: Jun 2015
Location: New York
Programs: AA, CX, SPG, Marriott
Posts: 1,366
Originally Posted by kaka View Post
i'm just saying but seeing that not many CC was compromised AND some has never-used MPO accounts compromised, it might be MPO accounts that's problematic, not non-member fliers.
Providing a non-member data point.

The following personal information about you was accessed:
  • Address
  • Flown Flight Number & Date
  • Name
  • Title
I mostly agree with one of the replies above - not mad about the breach, as it's just a matter of time for any company. But I am disappointed about the huge 5-month gap.
andersonCooper is offline  
Reply With Quote
Old Oct 25, 18, 1:23 pm
  #101  
 
Join Date: Dec 2010
Location: YYZ
Programs: AMEX AC CX UA AA DL
Posts: 2,823
Sounds like their "test" databases used by IT is compromised. The "test" data usually comes from real data with certain fields masked / removed.

Or could be data used for marketing purpose, by outside firms. Each marketing campaign selects clients based on different sets of criteria.
beep88 is offline  
Reply With Quote
Old Oct 25, 18, 1:36 pm
  #102  
 
Join Date: Feb 2005
Location: SFO
Programs: no status
Posts: 25
The following personal information about you was accessed:
  • Email Address
  • HKID Number
  • Name
  • Nationality
  • Telephone Number
Your travel or loyalty profile was not accessed in full, and your password was not compromised.

I don't have HKID!
tulalit is offline  
Reply With Quote
Old Oct 25, 18, 1:43 pm
  #103  
 
Join Date: Mar 2014
Posts: 208
Furious

Received last night 21:12 PDT

The following personal information about you was accessed:
  • Date of Birth
  • Email Address
  • HKID Number
  • Name
  • Nationality
  • Telephone Number
  • Title
  • Travel Document Number
Your travel or loyalty profile was not accessed in full, and your password was not compromised.
jerrywu is offline  
Reply With Quote
Old Oct 25, 18, 1:49 pm
  #104  
HAF
 
Join Date: Jan 2008
Location: HMB, Bay Area California
Programs: AS MVP Gold, AAPlatinum, UA Exec. Premier, Hilton, Marriott, Delta, Southwest.....
Posts: 214
i got the email notice 10:58am pacific....
The following personal information about you was accessed:
  • Address
  • Name
  • Title
Your travel or loyalty profile was not accessed in full, and your password was not compromised.
i do not have an account with them - i use my alaska FF when i fly them SFO-India.... i am not too concerned if only address / name / title are compromised ... but i am not sure if i trust them if only that data were indeed leaked.

--HAF
HAF is offline  
Reply With Quote
Old Oct 25, 18, 1:57 pm
  #105  
 
Join Date: Feb 2008
Location: Independent! But mostly BKK, BCN, SFO, PDX, SEA...
Programs: Doing it for the lie flat. Kayaker, AS MP, MPO Silver, DL/AA nada
Posts: 956
Took all my s**t.

The following personal information about you was accessed:
  • Address
  • Date of Birth
  • Name
  • Nationality
  • Telephone Number
  • Title
  • Travel Document Number
Your travel or loyalty profile was not accessed in full, and your password was not compromised.
If I cared about credit or identity theft, there'd be a lawsuit. As it stands, this might be enough for me to stop flying them entirely.
FiveMileFinal is offline  
Reply With Quote

Thread Tools
Search this Thread