Last edit by: kaka
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
https://infosecurity.cathaypacific.com/en_HK.html
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
- ask for data that CX hold on you
- highlight specifically which data was lost
(there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
- http://www.cathaydatabreach.com
- http://www.classlawdc.com/2018/10/25/cathay-pacific-data-breach-class-action-investigation/
9.4 million passengers’ data stolen from CX
#197
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,800
1. I wonder the 430 cards stolen - of which 427 were claimed to have expired - were "expired" as a result of the breach (that is - the cards were valid, but CX's acquirer contacted the issuers to replace the cards)?
2. My info stolen - HKID (how did CX have that...) phone number email - may not be enough to create new card accounts/identity documents for identity theft but coupled with pretty lax security at other HK companies, someone may get my other non-public info like bank balance or card balance. Other than that, and the fact my phone and email may be spammed, I really can't think of any objective consequences of the breach.
2. My info stolen - HKID (how did CX have that...) phone number email - may not be enough to create new card accounts/identity documents for identity theft but coupled with pretty lax security at other HK companies, someone may get my other non-public info like bank balance or card balance. Other than that, and the fact my phone and email may be spammed, I really can't think of any objective consequences of the breach.
#198
Suspended
Join Date: Oct 2017
Programs: jeweledgolfclub
Posts: 22
1. I wonder the 430 cards stolen - of which 427 were claimed to have expired - were "expired" as a result of the breach (that is - the cards were valid, but CX's acquirer contacted the issuers to replace the cards)?
2. My info stolen - HKID (how did CX have that...) phone number email - may not be enough to create new card accounts/identity documents for identity theft but coupled with pretty lax security at other HK companies, someone may get my other non-public info like bank balance or card balance. Other than that, and the fact my phone and email may be spammed, I really can't think of any objective consequences of the breach.
2. My info stolen - HKID (how did CX have that...) phone number email - may not be enough to create new card accounts/identity documents for identity theft but coupled with pretty lax security at other HK companies, someone may get my other non-public info like bank balance or card balance. Other than that, and the fact my phone and email may be spammed, I really can't think of any objective consequences of the breach.
2) Assuming your name was taken too, its not hard to make some half genuine ID for some can't be bothered company to approve their use.
3) Remember how some people got their alipay account breached?
Is anyone doing the class action?
#200
Join Date: Nov 2017
Programs: MPC-DM, Enrich-Plat
Posts: 1,310
- Fill their own wallets by wanting a 30% fee of the CX extorted amount.
- Let all participants deposit a significant amount for whatever plausible reason, to cover their real costs, just in case the extorted amount is less then the costs.
Of course, they will tell you, a lot of people already signed up.
Be aware, to be able to get compensation, you will need to show some kind of damage. The simple fact that info has been (presumed) stolen, does not imply, it is being used malicious. EU-GDPR fines go to the EU, not to the individual.
Put your emotions aside. With "significant" information stolen from 9.4 million people, there should have been a huge crowd, who was a victim of fraud though until now, if fraud was the target of the theft. I did see zero notifications somehow or another related to this leak.
(Which again convinces me, the hackers weren't "commercially" interested, ie state hackers).
#201
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,800
1) Do you trust what they tell you tho? Especially when you say they don't know your HKID.
2) Assuming your name was taken too, its not hard to make some half genuine ID for some can't be bothered company to approve their use.
3) Remember how some people got their alipay account breached?
Is anyone doing the class action?
2) Assuming your name was taken too, its not hard to make some half genuine ID for some can't be bothered company to approve their use.
3) Remember how some people got their alipay account breached?
Is anyone doing the class action?
What else are they hiding? Wonder are there grounds for establishing a Commission of Enquiry (HK-style Royal Commission)?
#202
Join Date: Nov 2017
Programs: MPC-DM, Enrich-Plat
Posts: 1,310
A lot of unclear aspects, though, I think, we should give CX credit for their effort to painstakingly investigate and report at the individual level, which record items were leaked for each individual customer. I do think, most companies would have simply said something general, like, "If you have your HKID stored at CX and used it in this period, it highly likely got leaked.". Have a look at facebook, google, apple, etc.
#203
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,800
What assurance do I have that the information is complete, and a judge with compelling powers is not going to find the 20-odd credit cards and my mother's alias passport copy has not been leaked as well?
#204
Join Date: Nov 2017
Programs: MPC-DM, Enrich-Plat
Posts: 1,310
To be (more) sure, you will have to setup your own investigation team & program, convince CX (probably through a court action), to let the team investigate the same as CX already did and find out if CX made mistakes and/or cheated on the whole. I don't think any court will grand you such a request, unless you can make very plausible, CX cheated on you, with what they reported. That'll be difficult, to say the least.
On the practical side, CX gave each individual an exact description of what (which records) has/have been accessed (leaked ?), which does (at least) me, give "quite some" confidence, CX did seriously investigate and deal with this matter.
I just came over some press coverage that the august BA leaked credit cards do seem to be offered at black markets.
Despite the CX leaking being significantly longer ago (and at a significantly smaller credit card scale), I did not see any notices appear about leaked data being available for purchase.
To be able to offer leaked data, the party doing the commercialization, certainly will have to tell their potential customers, where the data comes from, otherwise their customers have no idea about the value of what they can buy.
(Which again does let me expect this leak to be from state hackers. I think, it's an excellent idea to, as a state intelligence institute, hack major airlines to obtain information about people vs. their communication methods, as well as people movements around the globe. Not that many other organizations will have such a high quality info about everybody travelling around the globe. Not even banks have that info.)
#205
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,800
I have my suspicions BA leaked my card info - I just had the USD card I use for BAEC (which I use for USD transactions only) fraudulently charged overnight, cancelled and replaced first thing this morning.
However, the company that admitted they have not told us everything at first is worse than the company I can't prove has not told us everytthing.
However, the company that admitted they have not told us everything at first is worse than the company I can't prove has not told us everytthing.
#206
Suspended
Join Date: Oct 2017
Programs: jeweledgolfclub
Posts: 22
I have my suspicions BA leaked my card info - I just had the USD card I use for BAEC (which I use for USD transactions only) fraudulently charged overnight, cancelled and replaced first thing this morning.
However, the company that admitted they have not told us everything at first is worse than the company I can't prove has not told us everytthing.
However, the company that admitted they have not told us everything at first is worse than the company I can't prove has not told us everytthing.
Just like EC261, not being consumer friendly is an annoyance by itself.
#209
Join Date: Nov 2018
Programs: air new zealand
Posts: 25
Sadly my first comment on FT is to advise that CX told me only my name and title had been hacked. But last week, my credit card was hacked with ~$3,000 NZD for flights, including one on Cathay. Quite scary. Thanks for all the info here.
Last edited by kathkiwi; Nov 19, 2018 at 1:58 pm Reason: Deleted note about this being a reply, not a post. My misunderstanding.
#210
Join Date: Nov 2017
Programs: MPC-DM, Enrich-Plat
Posts: 1,310
Unless you did not use your card for a long time anywhere, the physical card is stored safe and you never "stored" the card details in such a "secure" clode safe, it would be a very long jump to suggest your card details became compromised through the CX hack&leak.