Last edit by: kaka
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
https://infosecurity.cathaypacific.com/en_HK.html
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
- ask for data that CX hold on you
- highlight specifically which data was lost
(there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
- http://www.cathaydatabreach.com
- http://www.classlawdc.com/2018/10/25/cathay-pacific-data-breach-class-action-investigation/
9.4 million passengers’ data stolen from CX
#76
Join Date: Oct 2014
Location: HKG
Posts: 1,053
Just received it for a second time within an 8 hour period. All content same.
#79
Suspended
Join Date: Jun 2002
Location: Hong Kong
Programs: None any more
Posts: 11,017
Name and address are public information if you're registered as a voter. HKID is an identifier just like your name, not an authenticator, so no issue for me in those being public.
I'd be a bit pissed off about passport number and DOB being out there, although many people publish the latter on their Facebook pages anyway.
I really don't see this as a big deal from a personal ID security point of view.
It's poor IT security by CX, but I guess this was some sort of phishing attack that got a staff member's password - there must be thousands of CX people, including contractors, in many countries who have access to all this data.
I actually think the way they have managed it isn't at all bad given that no passwords were exposed. I would hope that, perhaps without us noticing it, since May the stolen information has not been sufficient to do anything major with the affected accounts without further authentication.
I'd be a bit pissed off about passport number and DOB being out there, although many people publish the latter on their Facebook pages anyway.
I really don't see this as a big deal from a personal ID security point of view.
It's poor IT security by CX, but I guess this was some sort of phishing attack that got a staff member's password - there must be thousands of CX people, including contractors, in many countries who have access to all this data.
I actually think the way they have managed it isn't at all bad given that no passwords were exposed. I would hope that, perhaps without us noticing it, since May the stolen information has not been sufficient to do anything major with the affected accounts without further authentication.
#80
Join Date: Oct 2018
Posts: 481
Seems BA and CX are trying to out do each other:
Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.
The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card.
While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.
In addition, from the investigation we know that fewer of the customers we originally announced were impacted. Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.
We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.
Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.
The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card.
While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.
In addition, from the investigation we know that fewer of the customers we originally announced were impacted. Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.
We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.
#81
Join Date: May 2016
Location: HKG
Programs: CX DM, SQ Gold
Posts: 81
Name and address are public information if you're registered as a voter. HKID is an identifier just like your name, not an authenticator, so no issue for me in those being public.
I'd be a bit pissed off about passport number and DOB being out there, although many people publish the latter on their Facebook pages anyway.
I really don't see this as a big deal from a personal ID security point of view.
It's poor IT security by CX, but I guess this was some sort of phishing attack that got a staff member's password - there must be thousands of CX people, including contractors, in many countries who have access to all this data.
I actually think the way they have managed it isn't at all bad given that no passwords were exposed. I would hope that, perhaps without us noticing it, since May the stolen information has not been sufficient to do anything major with the affected accounts without further authentication.
I'd be a bit pissed off about passport number and DOB being out there, although many people publish the latter on their Facebook pages anyway.
I really don't see this as a big deal from a personal ID security point of view.
It's poor IT security by CX, but I guess this was some sort of phishing attack that got a staff member's password - there must be thousands of CX people, including contractors, in many countries who have access to all this data.
I actually think the way they have managed it isn't at all bad given that no passwords were exposed. I would hope that, perhaps without us noticing it, since May the stolen information has not been sufficient to do anything major with the affected accounts without further authentication.
Last time I called Marco Polo to transact some business, all they needed to verify me was my HKID, contact number, email address and my passport nationality, all of which was reported to me earlier as having been stolen...
#83
Join Date: Jul 2000
Location: ey class
Posts: 258
And CX host a hackathon....
"We will host a series of exciting activities on location at Cathay Pacific’s headquarters, leading up to the 24-hour Hackathon. You'll be able to gain an exclusive insider understanding of our airline operations...."
maybe this was done during one of these events....
"We will host a series of exciting activities on location at Cathay Pacific’s headquarters, leading up to the 24-hour Hackathon. You'll be able to gain an exclusive insider understanding of our airline operations...."
maybe this was done during one of these events....
#84
Suspended
Join Date: Jun 2002
Location: Hong Kong
Programs: None any more
Posts: 11,017
The problem, and this is longstanding, is that Cathay (and many, many other organisations) use identfiers as pseudo-authenticators. And this is bad.
The banking world seems to have got to grips with this with 2-factor authentication (although I am not at all comfortable with some of the mobile phone banking stuff).
#85
Suspended
Join Date: Jun 2002
Location: Hong Kong
Programs: None any more
Posts: 11,017
And CX host a hackathon....
"We will host a series of exciting activities on location at Cathay Pacific’s headquarters, leading up to the 24-hour Hackathon. You'll be able to gain an exclusive insider understanding of our airline operations...."
maybe this was done during one of these events....
"We will host a series of exciting activities on location at Cathay Pacific’s headquarters, leading up to the 24-hour Hackathon. You'll be able to gain an exclusive insider understanding of our airline operations...."
maybe this was done during one of these events....
#86
Suspended
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,952
Name and address are public information if you're registered as a voter. HKID is an identifier just like your name, not an authenticator, so no issue for me in those being public.
I'd be a bit pissed off about passport number and DOB being out there, although many people publish the latter on their Facebook pages anyway.
I really don't see this as a big deal from a personal ID security point of view.
It's poor IT security by CX, but I guess this was some sort of phishing attack that got a staff member's password - there must be thousands of CX people, including contractors, in many countries who have access to all this data.
I actually think the way they have managed it isn't at all bad given that no passwords were exposed. I would hope that, perhaps without us noticing it, since May the stolen information has not been sufficient to do anything major with the affected accounts without further authentication.
I'd be a bit pissed off about passport number and DOB being out there, although many people publish the latter on their Facebook pages anyway.
I really don't see this as a big deal from a personal ID security point of view.
It's poor IT security by CX, but I guess this was some sort of phishing attack that got a staff member's password - there must be thousands of CX people, including contractors, in many countries who have access to all this data.
I actually think the way they have managed it isn't at all bad given that no passwords were exposed. I would hope that, perhaps without us noticing it, since May the stolen information has not been sufficient to do anything major with the affected accounts without further authentication.
and all this is if CX told us everything about the truth.
Also, i wonder which part of the DB get caught out. I know some people has dummy MPO/registered accounts for all sort of purposes and even those are lost - so not like the reason of lost is through purchases/redemptions.
However, 2 pieces of info that CX didnt talk much about is 1) membership numbers (this is SURELY compromised... see above about accounts that was never used in ticketed bookings), and 2) travel history.
#87
Join Date: Apr 2000
Posts: 2,637
Well, I have received 3 emails from CX in the last 2 days: Deal of the Month & credit card offers. I'm not an MPO nor Aisa Miles member and the last paid ticket was part of a RTW ticket in Feb 2018. Before that Oct 2015. I wonder if I should be concerned being in the USA.
#89
Suspended
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,952
This to me is the problem. None of those are good authenticators. Basic systems security is very clear on identfiers and authenticators. As far as I can tell, what has been accessed are various identifiers.
The problem, and this is longstanding, is that Cathay (and many, many other organisations) use identfiers as pseudo-authenticators. And this is bad.
The banking world seems to have got to grips with this with 2-factor authentication (although I am not at all comfortable with some of the mobile phone banking stuff).
The problem, and this is longstanding, is that Cathay (and many, many other organisations) use identfiers as pseudo-authenticators. And this is bad.
The banking world seems to have got to grips with this with 2-factor authentication (although I am not at all comfortable with some of the mobile phone banking stuff).
#90
Suspended
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,952