Oct 24, 2018, 3:47 pm

FlyerTalk Forums Expert How-Tos and Guides

Last edit by: kaka

Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)

ask for data that CX hold on you
highlight specifically which data was lost
(there's a few things you could ask them according to GPDR... refer to the website)

They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)

http://www.cathaydatabreach.com
http://www.classlawdc.com/2018/10/25/cathay-pacific-data-breach-class-action-investigation/

9.4 million passengers’ data stolen from CX

Reply Subscribe

Thread Tools

Search this Thread

Oct 25, 2018, 4:16 am

#61

kaka

Suspended

Join Date: May 2006

Location: HKG

Programs: A3, TK *G; JL JGC; SPG,Hilton Gold

Posts: 9,952

Quote:

Originally Posted by ermen

Some questions that I am unclear about

1. Does this only affect MPO / AM members / registered account members or are guests affected?
2. Only revenue fares or AM /redemptions or both?
2. Are third party (eg Expedia ) bookings affected
3. Even better are CX redemption via OW affected

I haven't received any email, because I don't generally book CX revenue. But have booked a few redemption using AM and BAEC

i got compromised. my last cash ticket... i dont remember. perhaps one lny before feb2015

Oct 25, 2018, 4:34 am

#62

peasant

Join Date: Dec 2001

Location: China

Posts: 1,551

Nothing for me yet.

For those who had HKID/ passport/ birth day/ name/ email/ address taken - eek. Would be surprised if there haven't been phishing attempts on high value targets

Oct 25, 2018, 4:47 am

#63

Nicc HK

Join Date: Jan 2006

Programs: AAdvantage Asia Miles Air China

Posts: 870

I find it impossible to trust anything CX says on this. I also must be careful as data is my business, not IT, but information for Capital Markets.

These are some points which I feel must make people think:

The data stolen is not the same for everyone, this implies a huge issue in terms of accessability and CX IT infrastucture. System access, storage and integrity are seriously compomised
To employ a negative, CX may know what was taken but they probably do not know everything that was taken
At the moment personal data security is structured by types on a layered basis in a simplistic interogation environment, so it is about the combinations of data stolen. People with IDs and Dates of Birth being taken are at a high risk, however, a determined criminal can add value to the stolen data by going to social media. If I know who a person is and have other data, then things like Facebook are going to offer up missing information
Also CX has not stated if status has been taken as well. Knowing this allows criminals to prioritise targets
CX has only given the bare minimum of information and applied obfuscation, things like "We have no evidence of" and so on, it is the get of gaol card. They are probably too incompetant to actually know how to find evidence, and equally from a previous post we can see CX are likely to be wrong about knowing what data for each client they have lost
Appalling data governance, though more likely non-existent data governance, if this had happened at a Bank I know exactly what would happen and when

While the above is rather negative, those losing higher risk data will need to think about impacts. Experian can only do so much.

And comparing to BA, they had 400K customers details taken, CX lost 9 Million more or 23.5 times more. Impressive in its negligence.

Back to my mantra, CX and technology, 'Where the intelligence is virtual'

Mr. Strong, kaka, G-CIVC and 3 others like this.

Last edited by Nicc HK; Oct 25, 2018 at 4:59 am

Oct 25, 2018, 4:59 am

#64

gracall

Join Date: Nov 2013

Location: Places

Programs: CI Paragon, AF Gold, Bonvoy Ambassador Elite, Shangri-La Jade

Posts: 170

Quote:

Originally Posted by kaka

i got compromised. my last cash ticket... i dont remember. perhaps one lny before feb2015

Similar here, my last was in 2013. They got my address, email, name, and title. Travel document was stored.

Oct 25, 2018, 5:25 am

#65

kaka

Suspended

Join Date: May 2006

Location: HKG

Programs: A3, TK *G; JL JGC; SPG,Hilton Gold

Posts: 9,952

Quote:

Originally Posted by txflyer77

https://twitter.com/benjaminbland/st...331503616?s=21

Cathay is directing questions to an unverified twitter account. What a clown show.

https://twitter.com/cathaypacific/st...444854273?s=21

Has anyone been told the travel history has been compromised

Oct 25, 2018, 5:29 am

#66

fakecd

Join Date: Apr 2001

Location: HKG/HND/OOL

Programs: QF Emerald. SQ Gold.

Posts: 3,170

very strange timing but my CX Elite card was used fraudulently over the weekend Amex called.about it and i had to cancel the card...

today i see this. .i know theft was 7mths ago ....but.. what a.coincidence

Oct 25, 2018, 5:40 am

#67

go_around

Join Date: Jul 2011

Programs: BA Bronze

Posts: 1,026

One of my family members just received the email that the following were taken (less bad than others..?):

- address
- name
- title

I have not received an email yet relating to my own data. Neither of us are MP, but both have an AM account.

Oct 25, 2018, 6:11 am

#68

BryanL

Join Date: Jan 2011

Location: HKG/YVR

Programs: MPO, Aeroplan, SPG

Posts: 183

Quote:

Originally Posted by blum81

What MP status are you?

My wife is at gold and parents are at silver but neither of them received the email.

Wonder if they are they really sending emails out according to MP levels? lol.

My wife has no status, just Asia Miles member and received the e-mail at around 18:05. I received nothing

Oct 25, 2018, 6:17 am

#69

hkskyline

Join Date: Jun 2005

Location: HKG

Posts: 1,505

Anyone subscribing to their identity monitoring service with experian? Wonder if it's effective or more giving your personal data to another 3rd party.

http://www.globalidworks.com/identity1

Oct 25, 2018, 6:37 am

#70

marcuslai

Join Date: Apr 2004

Location: Tokyo, Vancouver, Hong Kong, Dublin

Programs: CX DM

Posts: 880

Quote:

Originally Posted by hkskyline

Anyone subscribing to their identity monitoring service with experian? Wonder if it's effective or more giving your personal data to another 3rd party.

http://www.globalidworks.com/identity1

yes a bit wary of it too. but gave it my email addresses, credit card number, etc. since my data is out there anyway. and got back the attached basically right away. not sure if how much of the "dark web" it can scan. just hope experian itself doesnt get hacked.

Oct 25, 2018, 6:49 am

#71

clazza

Join Date: Feb 2008

Location: Hong Kong

Programs: CX DM

Posts: 204

Quote:

Originally Posted by hkskyline

Anyone subscribing to their identity monitoring service with experian? Wonder if it's effective or more giving your personal data to another 3rd party.

http://www.globalidworks.com/identity1

They took this:

Email Address
HKID Number
Name
Nationality
Telephone Number
Title

and so I subscribed and the service told me that my email had been compromised twice in July and August...but as far as CX was concerned "We have no evidence that any personal data has been misused" !! Apparently, Im supposed to "change the password for the email address that was found compromised" but there are no details of the accounts on the service. This could be messy

Last edited by clazza; Oct 25, 2018 at 6:58 am Reason: grammar

Oct 25, 2018, 7:37 am

#72

kaka

Suspended

Join Date: May 2006

Location: HKG

Programs: A3, TK *G; JL JGC; SPG,Hilton Gold

Posts: 9,952

my gf lost her hkid and name. great....

Oct 25, 2018, 7:52 am

#73

LoveHateRelationship

Join Date: Sep 2013

Posts: 525

Guys, I doubt status has anything to do with when you're getting it. It's just a matter of how the query is run and when they load the mail server to send it out.

Something to keep in mind. By accepting their identity theft protection, you could possibly by absolving CX of any responsibility they have to you. If you do want to be compensated somehow, you should read the T&Cs before accepting their identity theft protection.

Oct 25, 2018, 7:54 am

#74

Gongzuokuang

Join Date: Sep 2014

Location: DTW - Rochester Hills, MI

Programs: Cathay MPC, IHG Diamond Ambassador, Domestic Airline Nobody

Posts: 715

To those that have received the emailed notification, can one of you confirm if it comes from the same Marco Polo email address? I want to make sure my spam filters whitelist the address if it is something different.

Oct 25, 2018, 8:19 am

#75

marcommm

Join Date: Nov 2017

Location: HKG

Programs: CX, BA

Posts: 69

Surprisingly calm when reading this. Prob becoz my name, address, ID bla bla bla were already leaked when HK gov lost the computer containing all HK voter's information. Not particularly crossed if/when CX leaked those again. But why do they announce this 5 months after confirming such incident? In March, It still kind of reasonable not to announce to the public when they 'suspected' such leakage. It is hard to see any legitimate reason to remain silence for 5 months after knowing such colossal data leakage.

FlyPointyEnd likes this.