Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Cathay Pacific | Marco Polo Club
Reload this Page >

9.4 million passengers’ data stolen from CX

9.4 million passengers’ data stolen from CX

    Hide Wikipost
Old Nov 1, 18, 1:34 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: kaka
Wiki Link
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Print Wikipost

Reply

Old Oct 25, 18, 2:05 pm
  #106  
 
Join Date: Dec 2000
Location: HKG
Programs: AA 3MM EXP, SQ Solitaire, LH SEN, CX DM, GP Courtesy Card, Marriott LT Titanium
Posts: 2,899
I wonder if they actually have email address for all 9m affected people? There must be some that they do not have email address of.. Are they going to send snail mail to them about this?

Also, it seems that the data breach was not linked directly to their loyalty program, but from reservation and operations as it seems to have affected people who bought tickets outside of the CX. ie. affiliate redemption, etc
tfung is offline  
Reply With Quote
Old Oct 25, 18, 2:36 pm
  #107  
 
Join Date: Aug 2007
Location: SBA
Programs: AA EXP, UA Gold/1MM, Bonvoy Platinum
Posts: 933
Originally Posted by FlyPointyEnd View Post
All of my DM friend's already got an email. Maybe they are informing people based on MPO status first hehehe
I don't think so. I received email from CX earlier today, and I am just a registered user. I don't even have Marco Polo Club account.
MrJBoy is offline  
Reply With Quote
Old Oct 25, 18, 3:26 pm
  #108  
formerly AtomicLush
 
Join Date: Jun 2005
Location: ORD (formerly SAN)
Programs: Hilton Diamond; IHG Spire; AA former-Platinum (DH = EXP), Delta Gold
Posts: 1,505
I was looking for a breach notification, but have not received it yet. However, I did get an invitation to ADD more info to my profile yesterday! No joke! Um, thanks, but no thanks?

"Did you know your travel experience could be even smoother by updating your profile on cathaypacific.com? By storing information such as travel documents and contact information .–for yourself and up to three companions – you can save time during online booking and check-in.

As a Registered Account holder, you will also be the first to know about our latest flight promotions, new benefits, and exclusive offers we plan to introduce – starting with a great birthday offer coming soon.

Click here now to update your details, including your birthday!

Sincerely,
Cathay Pacific"
TravelLawyer is offline  
Reply With Quote
Old Oct 25, 18, 4:35 pm
  #109  
 
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,026
Originally Posted by Mr. Strong View Post
For those affected in the Philippines, CX should be covered by Republic Act 10173 - Data Privacy Act of 2012 (DPA). https://www.privacy.gov.ph/data-privacy-act/
For extraterritorial application of the DPA, see https://www.privacy.gov.ph/data-privacy-act/#6

If my understanding is correct, given the extent and size of CX's business in the Philippines, it has to comply with the DPA and its Implementing Rules and Regulations and thus would have to have a Data Privacy Officer (DPO) in the Philippines. Hopefully that DPO should answer what kind of ID Monitoring Services are available. If you can't get a hold of the DPO for CX in the Philippines, I suggest that you reach out to Rob Bradshaw, CX Philippines Country Manager and apply some pressure on him to get an answer.
After the recent cuts in the staff in Manila, I’d be surprised if they still have a DPO in the town office...
FlyPointyEnd is offline  
Reply With Quote
Old Oct 25, 18, 5:23 pm
  #110  
 
Join Date: Mar 2010
Location: New York
Programs: AAdvantage, BA Executive Club, CX MPC, Marriot Rewards, Priority Club
Posts: 139
I go the email this morning and it states:

The following personal information about you was accessed:
  • Address
  • Name
  • Title
Your travel or loyalty profile was not accessed in full, and your password was not compromised.

My wife who have flown more on CX this year than me (and higher status) have not received the email as of yet.
thekfc is offline  
Reply With Quote
Old Oct 25, 18, 6:18 pm
  #111  
 
Join Date: Dec 2001
Location: China
Posts: 1,479
Originally Posted by tfung View Post
I wonder if they actually have email address for all 9m affected people? There must be some that they do not have email address of.. Are they going to send snail mail to them about this?

Also, it seems that the data breach was not linked directly to their loyalty program, but from reservation and operations as it seems to have affected people who bought tickets outside of the CX. ie. affiliate redemption, etc

My guess is that they have a 'customer profile' database harvesting & storing information from reservations, loyalty etc. So doesn't have passwords, but does have other MPO profile data, For EU residents, might want to ask under GDPR
peasant is offline  
Reply With Quote
Old Oct 25, 18, 6:57 pm
  #112  
 
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,026
Okay...I've calmed down a bit. Hacking, data breach or whatever you may want to call it...it seems like it happens all the time and is a reality in this day and age. except for my birthday and travel document, the information is found on my calling card anyway. What I guess still upsets me is the fact that it was kept from us for all this time. I do agree they needed time to verify, which they did last May, but why wait till yesterday to disclose? It just doesn't make any sense to me.
Nicc HK likes this.
FlyPointyEnd is offline  
Reply With Quote
Old Oct 25, 18, 7:12 pm
  #113  
sxc
Moderator, Cathay Pacific
Accor Contributor Badge
 
Join Date: Dec 2004
Programs: CX MPC Silver, BAEC Gold (OWE), Hyatt
Posts: 9,419
Originally Posted by FiveMileFinal View Post
Took all my s**t.



If I cared about credit or identity theft, there'd be a lawsuit. As it stands, this might be enough for me to stop flying them entirely.
Typically companies that recover from these situations end up being the most secure organisations. So flying another airline for this reason may end up being counter productive.
PacificSunrise likes this.
sxc is offline  
Reply With Quote
Old Oct 25, 18, 8:08 pm
  #114  
 
Join Date: Sep 2013
Posts: 525
I suspect with this data breach, the MPC line is slammed right now. Can't get through
LoveHateRelationship is offline  
Reply With Quote
Old Oct 25, 18, 8:24 pm
  #115  
 
Join Date: Dec 2012
Location: Hong Kong
Posts: 6
I got the email and it states:

The following types of personal data about you were accessed:
  • Email Address
  • Flown Flight Number & Date
  • HKID Number
  • Name
  • Nationality
  • Permit Number
  • Telephone Number
  • Title
Your travel or loyalty profile was not accessed in full, and your password was not compromised.
happyshanzhui is offline  
Reply With Quote
Old Oct 25, 18, 8:27 pm
  #116  
 
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,026
Someone told me the data breach is punishable under EU GDPR...penalty is 4% annual revenue...is this real?

Last edited by FlyPointyEnd; Oct 25, 18 at 8:37 pm
FlyPointyEnd is offline  
Reply With Quote
Old Oct 25, 18, 8:42 pm
  #117  
 
Join Date: Jun 2015
Location: Shanghai
Programs: Flying Blue, Marco Polo, Skywards, Etihad Guest, IHG
Posts: 236
Originally Posted by FlyPointyEnd View Post
Someone told me the data breach is punishable under EU GDPR...penalty is 4% annual revenue...is this real?
I believe it's 4% but CX will be able to get away from GDPR as the breach happened before the implementation of GDPR.
rienhart87 is offline  
Reply With Quote
Old Oct 25, 18, 8:49 pm
  #118  
 
Join Date: Apr 2014
Location: Hong Kong, London, Toronto, Bangkok
Programs: MPC, OneWorld, 1865 Voyager, Hyatt, Horizon Club
Posts: 132
Whether it is related or unrelated, and although my CC details were not stolen, I have logged 1 fraudulent transaction with my HSBC CC approx two months ago, which I have used to pay for flights previously; and my relatives and friends have also logged two fraudulent CC use (Amex Cathay Elite) this past weekend. Whether or not these are coincidences, just a friendly reminder to really look at your statements and check any bank notifications as to unauthorised/card not present transactions.
hphreak is offline  
Reply With Quote
Old Oct 25, 18, 8:55 pm
  #119  
 
Join Date: Mar 2012
Location: Vancouver, Manila, Singapore, Kuala Lumpur, Hong Kong
Programs: CX-DM, Marriott Gold, Fairmont Premier
Posts: 195
Originally Posted by rienhart87 View Post
I believe it's 4% but CX will be able to get away from GDPR as the breach happened before the implementation of GDPR.
My cynical tin foil hat side of me wonders if the breach happened after GDPR was implemented in May, but saying March will get them grandfathered lol.
blum81 is offline  
Reply With Quote
Old Oct 25, 18, 9:48 pm
  #120  
 
Join Date: May 2006
Location: PMD
Programs: UA*G, NW, AA. WR, HH, IHG, Accor. TT-GE.
Posts: 1,992
Originally Posted by happyshanzhui View Post
I got the email and it states:

The following types of personal data about you were accessed:
  • Email Address
  • Flown Flight Number & Date
  • HKID Number
  • Name
  • Nationality
  • Permit Number
  • Telephone Number
  • Title
Your travel or loyalty profile was not accessed in full, and your password was not compromised.
Your version is alarming--it fits the speculation that a neighboring government may be hacking to search for data hidden by their own citizens such as other nationalities and travel history.
kaka and HarbourGent like this.
HkCaGu is offline  
Reply With Quote

Thread Tools
Search this Thread