Oct 24, 2018, 3:47 pm
Last edit by: kaka
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
https://infosecurity.cathaypacific.com/en_HK.html
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
- ask for data that CX hold on you
- highlight specifically which data was lost
(there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
- http://www.cathaydatabreach.com
- http://www.classlawdc.com/2018/10/25/cathay-pacific-data-breach-class-action-investigation/
9.4 million passengers’ data stolen from CX
Oct 29, 2018, 6:57 pm
#166
Join Date: Sep 2011
Location: MNL
Programs: CX MPO DM, Le Club Accor Platinum, World of Hyatt Explorist
Posts: 2,284
After I got my data security breach email from CX, I sent an email to Rupert Hogg, another senior manager and their infosecurity desk. I asked some straightforward questions. It took their Customer Relations team 3 days to send me the following pathetic reply.
"Thank you for your email to Mr Rupert Hogg, our Chief Executive Officer, our senior management team and the info security team regarding your concerns on the data security event.
We are sorry that we have not been able to respond as of yet. We fully appreciate and recognise your concerns. Please allow us to look into the matter before replying to you in more detail. In the meantime, thank you for your patience and for taking the time to contact us.
Yours sincerely
Customer Relations Department
Cathay Pacific Airways Limited
Hong Kong Dragon Airlines Limited"
"Thank you for your email to Mr Rupert Hogg, our Chief Executive Officer, our senior management team and the info security team regarding your concerns on the data security event.
We are sorry that we have not been able to respond as of yet. We fully appreciate and recognise your concerns. Please allow us to look into the matter before replying to you in more detail. In the meantime, thank you for your patience and for taking the time to contact us.
Yours sincerely
Customer Relations Department
Cathay Pacific Airways Limited
Hong Kong Dragon Airlines Limited"
Oct 29, 2018, 8:06 pm
#167
Formerly known as jsfrSuperElite
Join Date: Feb 2008
Location: Hong Kong, Montreal
Programs: Air Canada SE100K-1MM, Hilton Honors Lifetime Diamond
Posts: 590
After I got my data security breach email from CX, I sent an email to Rupert Hogg, another senior manager and their infosecurity desk. I asked some straightforward questions. It took their Customer Relations team 3 days to send me the following pathetic reply.
"Thank you for your email to Mr Rupert Hogg, our Chief Executive Officer, our senior management team and the info security team regarding your concerns on the data security event.
We are sorry that we have not been able to respond as of yet. We fully appreciate and recognise your concerns. Please allow us to look into the matter before replying to you in more detail. In the meantime, thank you for your patience and for taking the time to contact us.
Yours sincerely
Customer Relations Department
Cathay Pacific Airways Limited
Hong Kong Dragon Airlines Limited"
"Thank you for your email to Mr Rupert Hogg, our Chief Executive Officer, our senior management team and the info security team regarding your concerns on the data security event.
We are sorry that we have not been able to respond as of yet. We fully appreciate and recognise your concerns. Please allow us to look into the matter before replying to you in more detail. In the meantime, thank you for your patience and for taking the time to contact us.
Yours sincerely
Customer Relations Department
Cathay Pacific Airways Limited
Hong Kong Dragon Airlines Limited"
Oct 29, 2018, 11:47 pm
#169
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,799
Oct 30, 2018, 9:07 am
#170
Join Date: Jun 2006
Location: NYC/SIN
Programs: CX DM, SQ KF
Posts: 2,170
(I do owe some of the regulars on here an update about that- soon!, even though you didn’t really miss anything).
Nov 1, 2018, 9:05 am
#171
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,799
Simone Chen to Cathay Pacific 國泰航空
October 30 at 5:57 PM ·
I wrote to CX about the details of my details leaked. I asked whether my full name or surname only, every digit of my phone number or only part of it.
Here is the reply from CX customer relationship. “ We are sorry we cannot access your specific information due to privacy concerns.”
You leak my data and then you tell me I can’t tell you the details of it because of privacy concern. How hilarious!!!
October 30 at 5:57 PM ·
I wrote to CX about the details of my details leaked. I asked whether my full name or surname only, every digit of my phone number or only part of it.
Here is the reply from CX customer relationship. “ We are sorry we cannot access your specific information due to privacy concerns.”
You leak my data and then you tell me I can’t tell you the details of it because of privacy concern. How hilarious!!!
Nov 1, 2018, 10:02 am
#172
Join Date: Oct 1999
Location: HKG
Programs: CX DM, SQ, BA, TG, Sheba, VN, MPO since 1980
Posts: 1,058
Nov 1, 2018, 11:13 am
#173
Join Date: Jun 2016
Location: Hong Kong
Programs: Lowly CX & IHG
Posts: 382
Regarding the “We are sorry we cannot access your specific information due to privacy concerns”, not that they should send actual data through email which is not really considered secure, nor should they keep a copy of the actual leaked data for the inquiries that’s easier to be leaked again... So, well, not very helpful but not the worse way to handle either, in my own opinion; but that’s your freedom if you insist a through check.
Nov 1, 2018, 7:28 pm
#174
Suspended
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,952
Regarding the “We are sorry we cannot access your specific information due to privacy concerns”, not that they should send actual data through email which is not really considered secure, nor should they keep a copy of the actual leaked data for the inquiries that’s easier to be leaked again... So, well, not very helpful but not the worse way to handle either, in my own opinion; but that’s your freedom if you insist a through check.
Nov 1, 2018, 7:56 pm
#175
Join Date: Jun 2016
Location: Hong Kong
Programs: Lowly CX & IHG
Posts: 382
Not being an EU citizen thus not aware of that. That case maybe also contact the data protection officer or state as a GDPR request?
Customers requesting more information or clarification on specific Personal Data usage are welcome to contact us at [email protected] or write to us at the below mailing addresses:
The Data Protection Officer
Cathay Pacific Airways Limited
6th Floor Cathay Pacific City
8 Scenic Road
Hong Kong International Airport
Lantau
Hong Kong
Hong Kong Dragon Airlines Limited
5th Floor Cathay Dragon House
11 Tung Fai Road
Hong Kong International Airport
Lantau
Hong Kong
The Data Protection Officer
Cathay Pacific Airways Limited
6th Floor Cathay Pacific City
8 Scenic Road
Hong Kong International Airport
Lantau
Hong Kong
Hong Kong Dragon Airlines Limited
5th Floor Cathay Dragon House
11 Tung Fai Road
Hong Kong International Airport
Lantau
Hong Kong
Nov 1, 2018, 8:30 pm
#176
Suspended
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,952
anyways, you can still send the same in. they could ask for your EU citizen details or they could surrender the information
Nov 1, 2018, 8:53 pm
#177
Suspended
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,952
According to EU GDPR (if CX is seen as a HK company, then it would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then GDPR would apply to EVERYONE)
From the communications with someone on the BA Forum, this is a brief summary of what GDPR/UK Data Protection Act 2018 wrt personal data. (this was taken from private comms so i would keep the name out. it's pretty much taken out of the website so i figure its ok to share with like minds without rewriting it.)
and below is CX's point of contact regarding personal data usage.
A brief summary of what to write to DPO in very short...
asking for data that CX hold on you
highlight specifically which data was lost
(there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.
From the communications with someone on the BA Forum, this is a brief summary of what GDPR/UK Data Protection Act 2018 wrt personal data. (this was taken from private comms so i would keep the name out. it's pretty much taken out of the website so i figure its ok to share with like minds without rewriting it.)
Under the Data Protection Act (latest UK version is 2018, which includes GDPR) you can make a "Subject Access Request". Under Data Processing law any living individual is a "data subject" and can apply to any data processor (any person, company or legal entity) that has information about them.What is a data subject entitled to?
Individuals have the right to obtain the following from you:
In addition to a copy of their personal data, you also have to provide data subjects with the following information:
BA have to respond within a month of your request, and there is no charge payable (the previous version of the Data Protection Act allowed a charge of up to £10 but this no longer applies since GDPR.
You may find this page useful: https://ico.org.uk/your-data-matters...ght-of-access/
Individuals have the right to obtain the following from you:
- confirmation that you are processing their personal data;
- a copy of their personal data; and
- other supplementary information – this largely corresponds to the information that you should provide in a privacy notice
In addition to a copy of their personal data, you also have to provide data subjects with the following information:
- the purposes of your processing;
- the categories of personal data concerned;
- the recipients or categories of recipient you disclose the personal data to;
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organisation.
BA have to respond within a month of your request, and there is no charge payable (the previous version of the Data Protection Act allowed a charge of up to £10 but this no longer applies since GDPR.
You may find this page useful: https://ico.org.uk/your-data-matters...ght-of-access/
Customers requesting more information or clarification on specific Personal Data usage are welcome to contact us at [email protected] or write to us at the below mailing addresses:
The Data Protection Officer
Cathay Pacific Airways Limited
6th Floor Cathay Pacific City
8 Scenic Road
Hong Kong International Airport
Lantau
Hong Kong
Hong Kong Dragon Airlines Limited
5th Floor Cathay Dragon House
11 Tung Fai Road
Hong Kong International Airport
Lantau
Hong Kong
The Data Protection Officer
Cathay Pacific Airways Limited
6th Floor Cathay Pacific City
8 Scenic Road
Hong Kong International Airport
Lantau
Hong Kong
Hong Kong Dragon Airlines Limited
5th Floor Cathay Dragon House
11 Tung Fai Road
Hong Kong International Airport
Lantau
Hong Kong
asking for data that CX hold on you
highlight specifically which data was lost
(there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.
Last edited by kaka; Nov 1, 2018 at 9:24 pm
Nov 1, 2018, 9:27 pm
#178
Suspended
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,952
re: Class action
http://www.cathaydatabreach.com - SPG/ Sanders Phillips Grossman
From SCMP regarding SPG (http://www.cathaydatabreach.com)
http://www.classlawdc.com/2018/10/25...investigation/ - M&R/ Migliaccio & Rathod LLP
http://www.cathaydatabreach.com - SPG/ Sanders Phillips Grossman
From SCMP regarding SPG (http://www.cathaydatabreach.com)
Originally Posted by scmp
The group (SPG) action planned in Britain would be restricted to European Union residents. On the website, the firm said the claimants had a right to compensation from Cathay Pacific for the data leak under Article 82 of the European Union General Data Protection Regulation (GDPR).For other claimants, like those in Hong Kong and mainland China, Goodhead said the firm would file separately in the Netherlands, which “provides a mechanism [by which a] stichting, or a foundation, can represent claimants worldwide on a class action basis”.
Originally Posted by M&R
Migliaccio & Rathod LLP is currently investigating Cathay Pacific’s alleged failure to protect sensitive customer data in the worst ever airline data hack.
Last edited by kaka; Nov 1, 2018 at 9:32 pm
Nov 1, 2018, 9:35 pm
#179
Suspended
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,952
updated wiki:
for GDPR and class action
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
- ask for data that CX hold on you
- highlight specifically which data was lost
(there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Nov 1, 2018, 11:52 pm
#180
Join Date: Aug 2015
Location: Hong Kong
Programs: Cathay Lifetime Diamond
Posts: 690
The below from todays SCMP I feel adds some balance to what has been at times a considerable over reaction both on this forum and elsewhere.
For the past week or so the SCMP has run several pieces aimed at inflaming a the views a largely uninterested Hong Kong readership yet today has prominently featured
the below from a regular contributor Richard Harris
https://www.scmp.com/comment/insight...ts-data-breach
Last evening at a function we were a table of 14 HK based business people, mostly local locals who all travel to a greater or lesser extent with Cathay. None were remotely alarmed by this contained data breach. Slightly annoyed yes but nothing more with all considering that this could happen to any large business that needs to gather a good deal of personal information with some considering Cathay’s IT systems to be robust in that almost no useable data that was not readily available from other sources had been accessed by this aggressive breach.
For the past week or so the SCMP has run several pieces aimed at inflaming a the views a largely uninterested Hong Kong readership yet today has prominently featured
the below from a regular contributor Richard Harris
https://www.scmp.com/comment/insight...ts-data-breach
Last evening at a function we were a table of 14 HK based business people, mostly local locals who all travel to a greater or lesser extent with Cathay. None were remotely alarmed by this contained data breach. Slightly annoyed yes but nothing more with all considering that this could happen to any large business that needs to gather a good deal of personal information with some considering Cathay’s IT systems to be robust in that almost no useable data that was not readily available from other sources had been accessed by this aggressive breach.