Cathay Pacific Admits Hack Went On For Months

Airline admits it was under sophisticated attack for months, and took six months to inform the world

Hong-Kong-based airline Cathay Pacific has admitted that its “data security event” that affected passenger data, was much worse than first reported.

Late last month the airline admitted that the personal data for 9.4 million passengers had been compromised in a hack.

But now it seems the airline took over half a year to inform the world that it had been targetted by “sophisticated attackers.”

Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

Data breach

The airline initially confirmed that compromised personal data included passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks; and historical travel information.

And 403 expired credit card numbers were also accessed, and twenty-seven credit card numbers with no CVV were accessed.

But now the airline has made a fresh admission that the hack was worse than first thought. It emerged when the airline submitted the data about in the breach in an official report to Hong Kong’s Legislative Council.

The document noted that it had first noticed the attacks were most intense during March, April and May. The airline only notified the world on 24 October, over six months later.

Asia’s biggest airline also said on Monday in the written submission that although the number of successful attacks diminished, concerns remain “new attacks could be mounted.”

“Cathay and our affected passengers are victims of a cybercrime carried out by sophisticated attacker(s),” it noted. “Upon discovery we immediately launched a comprehensive investigation with the help of external experts to determine what occurred and what information was affected.”

“Cathay would like to apologise again to our passengers for the incident and any concerns that it has caused,” it added. “We take our responsibilities with respect to our passengers’ personal data very seriously and we acknowledge that there many lessons that we can and will learn from this event.”

Expert take

One expert said that sophisticated attacks are often very difficult to identify.

“Unfortunately, many large organisations, including Western multinationals and even governments, are susceptible to the same risks of tremendous data breaches,” said Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge. “Worse, many data breaches that are capable of outshining Cathay’s attack, have not been discovered and will likely never be.

“Very few sophisticated attacks expose stolen data or otherwise give indicators that a breach has occurred,” said Kolochenko. “Cybercriminals are specially paid to meticulously cover their intrusions and conduct the attacks in a stealth mode. Gigabytes of intellectual property, PII and financial data are stolen every day without being noticed, and then discreetly used by cybercriminals and their “clients”.

“Cathay may face numerous class actions and individual lawsuits from disgruntled customers, in parallel with severe monetary sanctions imposed by regulators from different countries,” he added.

Another expert questioned why it took the airline so long to reveal the breach.

“Earlier this year, Cathay Pacific announced that it had suffered the biggest airline data breach of all time, putting 9.4m customers at risk,” noted Simon McCalla, CTO of Nominet. “The airline first noticed the issue back in March and failed to disclose the breach until October – seven months after the first discovery.”

“Today’s revelations that the attack lasted months will not comfort at risk customers,” said McCalla. “Questions are rightly being asked why it took Cathay Pacific so long to disclose the breach, given that it’s put millions of customers at risk of fraud for an extended period of time.”

Airline security

The Cathay attack comes after British Airways in September confirmed a hack of its website and mobile app, which compromised the personal and financial details of around 380,000 customers.

In August Air Canada’s mobile app suffered a data breach that may have compromised passport data.

And in April this year, Delta Airlines said credit card details of thousands of customers had been exposed following a cyber attack on a third party vendor that provided online chat services for the airline.

How much do you know about hackers? Take our quiz!