9.4 million passengers’ data stolen from CX

    Hide Wikipost
Old Nov 1, 18, 1:34 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: kaka
Wiki Link
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Print Wikipost

Old Oct 25, 18, 9:52 pm
  #121  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
Originally Posted by blum81 View Post
My cynical tin foil hat side of me wonders if the breach happened after GDPR was implemented in May, but saying March will get them grandfathered lol.
do you have the EU28 passport or BNO?
we might be able to give GDPR some kicks so they would look into it more carefully.
kaka is offline  
Old Oct 25, 18, 10:02 pm
  #122  
 
Join Date: Jul 2014
Location: HKG / DUB / YYZ
Programs: CX AY DL
Posts: 174
My dad who has NOT flown with CX in the past 5 years (but uses AM otherwise) has had his
  • Address
  • Name
  • Title
assessed. Hmm...
fishball is offline  
Old Oct 25, 18, 10:15 pm
  #123  
 
Join Date: Jun 2016
Location: Hong Kong
Programs: Lowly CX & IHG
Posts: 347
I joined this mess with name, nationality, permit number and title. Well I surrendered these to the northern territory through name verification long ago so that's not much added concern to me. For my travel history, maybe the internet giants have had my data more comprehensively.

I also think the time is quite too long and not the most intuitive choice to disclose so late than to truly sweep it under the rug. Is it better to know? Yeah in the spirit of GDPR sort of thing, even though worried me and not much I could do. Given the delay hopefully there's no further "correction" to the area of impact.
watery is offline  
Old Oct 25, 18, 10:16 pm
  #124  
 
Join Date: Oct 2004
Programs: BR Gold, MPC Silver
Posts: 304
Received the email.
  • Date of Birth
  • Email Address
  • Name
  • Nationality
  • Telephone Number
  • Title
  • Travel Document Number
LapuLapu is offline  
Old Oct 25, 18, 10:32 pm
  #125  
 
Join Date: Mar 2012
Location: Vancouver, Manila, Singapore, Kuala Lumpur, Hong Kong
Programs: CX-DM, Marriott Gold, Fairmont Premier
Posts: 225
Originally Posted by kaka View Post
do you have the EU28 passport or BNO?
we might be able to give GDPR some kicks so they would look into it more carefully.
Naah. holding a Canada passport, but living in Malaysia.

Don't think there's anything I can do except to do the Canadian thing in saying "Sorry Cathay for trusting you and having my confidential data with you".
blum81 is offline  
Old Oct 25, 18, 10:35 pm
  #126  
 
Join Date: Jan 2017
Programs: MPC GR
Posts: 151
Received the email and my HKID and date of birth was accessed

But I don't have a HKID number in the first place?
corbomite is offline  
Old Oct 25, 18, 10:36 pm
  #127  
 
Join Date: Oct 2016
Posts: 82
  • Address
  • Date of Birth
  • Email Address
  • Flown Flight Number & Date
  • Name
  • Nationality
  • Permit Number
  • Telephone Number
  • Title
  • Travel Document Number

Got my list...I wonder what is NOT accessed? This looks like pretty much everything?
xuukgo is offline  
Old Oct 25, 18, 10:57 pm
  #128  
 
Join Date: Mar 2012
Location: Vancouver, Manila, Singapore, Kuala Lumpur, Hong Kong
Programs: CX-DM, Marriott Gold, Fairmont Premier
Posts: 225
Originally Posted by xuukgo View Post
  • Address
  • Date of Birth
  • Email Address
  • Flown Flight Number & Date
  • Name
  • Nationality
  • Permit Number
  • Telephone Number
  • Title
  • Travel Document Number

Got my list...I wonder what is NOT accessed? This looks like pretty much everything?
meal preference is missing.
Nile_US likes this.
blum81 is offline  
Old Oct 26, 18, 12:00 am
  #129  
 
Join Date: Jan 2018
Programs: MPCGO
Posts: 121
"We initially discovered suspicious activity on our network in March this year. Upon discovery, we took immediate action to contain the event, to commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures. Unauthorised access to certain personal data was confirmed in early May. Since that time, analysis of the data has continued in order to identify affected individuals and to determine whether the data at issue could be reconstructed."

If 9 million passengers' data was compromised, no way was there any immediate action as the event wasn't contained.

"We have no evidence that any personal data has been misused. We recommend that you follow the steps outlined in this notice to help protect yourself against potential risks."

Looking at above posts with fraudulent CC transactions with CX Amex cards (not one, but multiple individuals), I find this hard to believe.

"The following types of personal data about you were accessed:
  • Address
  • Email Address
  • Name
  • Nationality
  • Telephone Number
  • Title
Your travel or loyalty profile was not accessed in full, and your password was not compromised."

So am I assuming that it was accessed partially?

Such a vague and self contradictory email.
mbamejia is offline  
Old Oct 26, 18, 12:43 am
  #130  
Original Poster
 
Join Date: Mar 2012
Location: Boulder
Programs: AA Plat, CX Silver
Posts: 2,304
Does anyone know if Cathay ever named a Data Protection Officer for GDPR purposes?
txflyer77 is offline  
Old Oct 26, 18, 3:02 am
  #131  
 
Join Date: Dec 2001
Location: China
Posts: 1,500
Originally Posted by txflyer77 View Post
Does anyone know if Cathay ever named a Data Protection Officer for GDPR purposes?
Customers requesting more information or clarification on specific Personal Data usage are welcome to contact us at [email protected] or write to us at the below mailing addresses:

The Data Protection Officer
Cathay Pacific Airways Limited
6th Floor Cathay Pacific City
8 Scenic Road
Hong Kong International Airport
Lantau
Hong Kong

Hong Kong Dragon Airlines Limited
5th Floor Cathay Dragon House
11 Tung Fai Road
Hong Kong International Airport
Lantau
Hong Kong

So looks as if they are keen to protect their personal data/ privacy!
peasant is offline  
Old Oct 26, 18, 3:18 am
  #132  
 
Join Date: Mar 2005
Location: Vancouver, BC
Programs: Aeroplan
Posts: 798
For CX to disclose this six months later is unforgivable. They say the took immediate action, but immediate action requires you to notify those who could be affected. That way, THEY can take immediate action to limit damage/protect themselves. By delaying this six months, the thieves could have done incalculable damage to up to 9M customers by now.

The management team at CX are such irresponsible liars. I hope CX gets fined/sued appropriately for such casual disregard of their customers.
kaka likes this.
Frayed_Yak is offline  
Old Oct 26, 18, 4:42 am
  #133  
 
Join Date: Oct 2017
Location: UK
Programs: too many
Posts: 347
Originally Posted by kaka View Post
my gf lost her hkid and name. great....
Marry her, name change, problem solved :-)

(although it might be an expensive way to remedy the situation :-D
ng1265 is offline  
Old Oct 26, 18, 5:31 am
  #134  
Suspended
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
Originally Posted by ng1265 View Post
Marry her, name change, problem solved :-)

(although it might be an expensive way to remedy the situation :-D
you dont hv to get married to change name.
kaka is offline  
Old Oct 26, 18, 7:29 am
  #135  
 
Join Date: Oct 2017
Location: UK
Programs: too many
Posts: 347
anyone in the UK looking to start a class-action?
ng1265 is offline  

Thread Tools
Search this Thread