Cathay Pacific Admits Hack Of 9.4 Million Customer Records

Hong-Kong-based airline Cathay Pacific has confirmed a “data security event” that has affected passenger data.

The airline said it has discovered “unauthorised access to some of its information system containing passenger data of up to 9.4 million people.”

It comes after British Airways last month confirmed a hack of its website and mobile app, which compromised the personal and financial details of around 380,000 customers.

Data breach

The airline said that the data breach happened on IT systems “totally separate from its flight operations systems, and there is no impact on flight safety.”

“We are very sorry for any concern this data security event may cause our passengers,” said CEO Rupert Hogg. “We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.”

“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves,” Hogg added. “We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”

The airline confirmed that personal data that has been compromised includes passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks; and historical travel information.

And to make matters worse, 403 expired credit card numbers were also accessed, and twenty-seven credit card numbers with no CVV were accessed.

The airline said it has notified the Hong Kong Police and is notifying the relevant authorities.

“We want to reassure our passengers that we took and continue to take measures to enhance our IT security,” said Hogg. “The safety and security of our passengers remains our top priority.”

Besides Cathay Pacific and British Airways, other airlines have also been compromised recently.

In August for example Air Canada’s mobile app suffered a data breach that may have compromised passport data.

And in April this year, Delta Airlines said credit card details of thousands of customers had been exposed following a cyber attack on a third party vendor that provided online chat services for the airline.

Expert reaction

One security expert has warned that data breaches of this nature will fuel yet more cyber crime going forward.

“This amount of personal data being breached will undoubtedly make a contribution to further cybercrime in the future,” explained Tim Helming, director of product management at DomainTools. “The details released are the most valuable type of PII: more than enough for cybercriminals to target victims via spear phishing ransom campaigns, or to simply steal identities for financial gain.

“The affected customers would be advised to change passwords to sensitive accounts as soon as possible and keep an eye out for any unusual email traffic or financial activity,” said Helming. “This type of breach is wearyingly common; companies simply need to do better when protecting our data.”

Another expert warned that the aviation industry is being targetted by outside forces.

“The Cathay Pacific breach is a clear indication that the airline industry has a target on its back, given that British Airways and Air Canada have also been in the news in recent months for material breaches of customer data and personal information,” said Sam Curry, chief security officer at Cybereason.

“In the bigger picture, it would be premature to speculate on the overall damage to Cathay’s customers and the airline itself,” said Curry. “Passengers that travel with Cathay should assume their personal information has already been stolen many times over and it is unfortunately the reality facing billions of people in the connected world we live in. Collectively, black hat hackers are patient and their persistence means they are likely to be successful 100 percent of the time when they attempt to breach a system.”

“This stacks the cards against the defenders, meaning that Cathay and the airline industry as a whole needs to rethink their strategy around network detection and start taking the fight to the hacker by going on the offensive with more advanced technologies and services that will stop threats before they can materialise,” he added.

Meanwhile one expert warned on the implications that this stolen data can have.

“Data in the wrong hands – especially payment card information – can have a huge impact on customers, far beyond the unauthorised use of their cards,” said Ryan Wilk, VP at NuData Security. “Payment card information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the internet and in the physical world.”

“Multi-layered technology that thwarts fraud exists right now,” said Wilk. “Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their personally identifiable information. This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behaviour.”

But one expert also argued that data breaches will happen, despite precuations.

“Nobody is going to have perfect security and breaches will happen, but as insiders and external actors get more sophisticated, organisations have to be able to do a better job of detecting suspicious activity quickly and reducing the time it takes to investigate an incident,” said Brian Vecci, technical evangelist at Varonis.

“Months went by between when this attack was apparently noticed and when investigators figured out sensitive data might have been stolen, and then almost half a year passed before it was announced,” he added. “That’s unacceptable and highlights just how far behind the eight ball most organisations are when it comes to threat hunting and incident response.”

“It’s a scenario that has played out again and again: Companies lack context to separate the signal from the noise, and InfoSec teams are stuck trying to find what’s essentially a needle in a stack of needles,” said Vecci. “They can’t get a complete picture of an attack, don’t know if anything sensitive was lost or stolen, and are clearly missing the mark when it comes to securing the records of some of their most loyal customers.”

How much do you know about hackers? Take our quiz!