Oct 24, 2018, 3:47 pm
Last edit by: kaka
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
https://infosecurity.cathaypacific.com/en_HK.html
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
- ask for data that CX hold on you
- highlight specifically which data was lost
(there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
- http://www.cathaydatabreach.com
- http://www.classlawdc.com/2018/10/25/cathay-pacific-data-breach-class-action-investigation/
9.4 million passengers’ data stolen from CX
Oct 25, 2018, 2:05 pm
#106
Join Date: Dec 2000
Location: HKG
Programs: AA 3MM EXP, SQ Solitaire, LH SEN, CX DM, Hyatt CC, Marriott LT Titanium
Posts: 3,179
I wonder if they actually have email address for all 9m affected people? There must be some that they do not have email address of.. Are they going to send snail mail to them about this?
Also, it seems that the data breach was not linked directly to their loyalty program, but from reservation and operations as it seems to have affected people who bought tickets outside of the CX. ie. affiliate redemption, etc
Also, it seems that the data breach was not linked directly to their loyalty program, but from reservation and operations as it seems to have affected people who bought tickets outside of the CX. ie. affiliate redemption, etc
Oct 25, 2018, 2:36 pm
#107
Join Date: Aug 2007
Location: SBA
Programs: UA & AA 1 million miler
Posts: 1,134
Oct 25, 2018, 3:26 pm
#108
Join Date: Jun 2005
Location: ORD (formerly SAN)
Programs: Hilton Diamond; IHG Platinum; Bonvoy Gold; AA Platinum Pro and United Premier Silver (DH = AA EXP)
Posts: 1,928
I was looking for a breach notification, but have not received it yet. However, I did get an invitation to ADD more info to my profile yesterday! No joke! Um, thanks, but no thanks?
"Did you know your travel experience could be even smoother by updating your profile on cathaypacific.com? By storing information such as travel documents and contact information .–for yourself and up to three companions – you can save time during online booking and check-in.
As a Registered Account holder, you will also be the first to know about our latest flight promotions, new benefits, and exclusive offers we plan to introduce – starting with a great birthday offer coming soon.
Click here now to update your details, including your birthday!
Sincerely,
Cathay Pacific"
"Did you know your travel experience could be even smoother by updating your profile on cathaypacific.com? By storing information such as travel documents and contact information .–for yourself and up to three companions – you can save time during online booking and check-in.
As a Registered Account holder, you will also be the first to know about our latest flight promotions, new benefits, and exclusive offers we plan to introduce – starting with a great birthday offer coming soon.
Click here now to update your details, including your birthday!
Sincerely,
Cathay Pacific"
Oct 25, 2018, 4:35 pm
#109
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,284
For those affected in the Philippines, CX should be covered by Republic Act 10173 - Data Privacy Act of 2012 (DPA). https://www.privacy.gov.ph/data-privacy-act/
For extraterritorial application of the DPA, see https://www.privacy.gov.ph/data-privacy-act/#6
If my understanding is correct, given the extent and size of CX's business in the Philippines, it has to comply with the DPA and its Implementing Rules and Regulations and thus would have to have a Data Privacy Officer (DPO) in the Philippines. Hopefully that DPO should answer what kind of ID Monitoring Services are available. If you can't get a hold of the DPO for CX in the Philippines, I suggest that you reach out to Rob Bradshaw, CX Philippines Country Manager and apply some pressure on him to get an answer.
For extraterritorial application of the DPA, see https://www.privacy.gov.ph/data-privacy-act/#6
If my understanding is correct, given the extent and size of CX's business in the Philippines, it has to comply with the DPA and its Implementing Rules and Regulations and thus would have to have a Data Privacy Officer (DPO) in the Philippines. Hopefully that DPO should answer what kind of ID Monitoring Services are available. If you can't get a hold of the DPO for CX in the Philippines, I suggest that you reach out to Rob Bradshaw, CX Philippines Country Manager and apply some pressure on him to get an answer.
Oct 25, 2018, 5:23 pm
#110
Join Date: Mar 2010
Location: New York
Programs: AAdvantage, BA Executive Club, CX MPC, Marriot Rewards, Priority Club
Posts: 144
I go the email this morning and it states:
The following personal information about you was accessed:
My wife who have flown more on CX this year than me (and higher status) have not received the email as of yet.
The following personal information about you was accessed:
- Address
- Name
- Title
My wife who have flown more on CX this year than me (and higher status) have not received the email as of yet.
Oct 25, 2018, 6:18 pm
#111
Join Date: Dec 2001
Location: China
Posts: 1,552
I wonder if they actually have email address for all 9m affected people? There must be some that they do not have email address of.. Are they going to send snail mail to them about this?
Also, it seems that the data breach was not linked directly to their loyalty program, but from reservation and operations as it seems to have affected people who bought tickets outside of the CX. ie. affiliate redemption, etc
Also, it seems that the data breach was not linked directly to their loyalty program, but from reservation and operations as it seems to have affected people who bought tickets outside of the CX. ie. affiliate redemption, etc
My guess is that they have a 'customer profile' database harvesting & storing information from reservations, loyalty etc. So doesn't have passwords, but does have other MPO profile data, For EU residents, might want to ask under GDPR
Oct 25, 2018, 6:57 pm
#112
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,284
Okay...I've calmed down a bit. Hacking, data breach or whatever you may want to call it...it seems like it happens all the time and is a reality in this day and age. except for my birthday and travel document, the information is found on my calling card anyway. What I guess still upsets me is the fact that it was kept from us for all this time. I do agree they needed time to verify, which they did last May, but why wait till yesterday to disclose? It just doesn't make any sense to me.
Oct 25, 2018, 7:12 pm
#113
FlyerTalk Evangelist
Join Date: Dec 2004
Programs: CX Green, QF Platinum, BAEC Silver, Hyatt Glob
Posts: 10,780
Typically companies that recover from these situations end up being the most secure organisations. So flying another airline for this reason may end up being counter productive.
Oct 25, 2018, 8:24 pm
#115
Join Date: Dec 2012
Location: Hong Kong
Posts: 6
I got the email and it states:
The following types of personal data about you were accessed:
The following types of personal data about you were accessed:
- Email Address
- Flown Flight Number & Date
- HKID Number
- Name
- Nationality
- Permit Number
- Telephone Number
- Title
Oct 25, 2018, 8:27 pm
#116
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,284
Someone told me the data breach is punishable under EU GDPR...penalty is 4% annual revenue...is this real?
Last edited by FlyPointyEnd; Oct 25, 2018 at 8:37 pm
Oct 25, 2018, 8:42 pm
#117
Join Date: Jun 2015
Location: Jakarta
Programs: Flying Blue, Marco Polo, Skywards, Etihad Guest, IHG, Aeroplan
Posts: 269
Oct 25, 2018, 8:49 pm
#118
Join Date: Apr 2014
Location: Hong Kong, London, Toronto, Bangkok
Programs: MPC, OneWorld, 1865 Voyager, Hyatt, Horizon Club
Posts: 149
Whether it is related or unrelated, and although my CC details were not stolen, I have logged 1 fraudulent transaction with my HSBC CC approx two months ago, which I have used to pay for flights previously; and my relatives and friends have also logged two fraudulent CC use (Amex Cathay Elite) this past weekend. Whether or not these are coincidences, just a friendly reminder to really look at your statements and check any bank notifications as to unauthorised/card not present transactions.
Oct 25, 2018, 8:55 pm
#119
Join Date: Mar 2012
Location: Vancouver, Manila, Singapore, Kuala Lumpur, Hong Kong
Programs: CX-DM, Marriott Gold, Fairmont Premier
Posts: 335
My cynical tin foil hat side of me wonders if the breach happened after GDPR was implemented in May, but saying March will get them grandfathered lol.
Oct 25, 2018, 9:48 pm
#120
Join Date: May 2006
Location: PMD
Programs: UA*G, NW, AA-G. WR-P, HH-G, IHG-S, ALL. TT-GE.
Posts: 2,910
I got the email and it states:
The following types of personal data about you were accessed:
The following types of personal data about you were accessed:
- Email Address
- Flown Flight Number & Date
- HKID Number
- Name
- Nationality
- Permit Number
- Telephone Number
- Title