Cathay Pacific data leak: airline warns customers to guard against phishing attempts


Cathay Pacific Airways and IT experts have warned passengers to guard against dubious cyber links, as they expected phishing activities to surge following the massive data leak.

The city’s flagship carrier revealed belatedly on Wednesday night that the data of 9.4 million passengers had been illegally accessed, despite the breach being detected in March and confirmed in early May.

“We are aware that attempted phishing is taking place, and would like to remind people that emails related to this data security event will only be sent from [email protected],” the airline wrote on its website.

Worried after Cathay’s data breach? Here’s all you need to know about privacy
Passengers should not click on variations of links to data monitoring services, it added.

The airline has not immediately responded to a Post inquiry asking what online platforms these phishing activities were discovered on, and how many enquiries Cathay Pacific has received.

Phishing activities are commonly disguised messages sent by email or on social media using addresses or sites that resemble those of a reputable sender, in this case, Cathay. Typical phishing messages include links re-routing to suspicious websites, which may prompt for sensitive information to be submitted or for corrupted files, known as malware, to be downloaded.

“The number of users affected are quite a lot in this breach, and there could be phishing emails or calls purporting to represent the company,” said Wilson Wong Ka-wai, the head of Hong Kong Computer Emergency Response Team Coordination Centre at the Productivity Council.

“People should be careful when handling financial transactions involving personal information,” he said.

The centre also reminded passengers that the 12-month free data breach surveillance service offered by Cathay to affected passengers would involve handing personal information to a vendor. “Theoretically this will pose an additional data security risk,” the centre said in a reply to Post’s questions.

Michael Gazeley, managing director of Network Box Corporation, a cybersecurity service provider, said it would not be surprising to see more phishing activities following the leak, with hackers playing on the fears of worried customers.

“The CX case may well result in ‘spear phishing,’ where stolen details are used to customise phishing emails, to make them far more target-specific and believable,” Gazeley said, adding that once personal information hits the dark web it can then be aggregated with other existing leaked data belonging to victims.

According to the airline, a total of 403 expired credit card numbers and 27 credit card numbers with no card verification value were compromised, along with about 860,000 passport numbers and 240,000 Hong Kong ID card numbers.

It said more than half the leaked data included names with phone numbers or email addresses, and there was no evidence that passwords, Asia Miles or Marco Polo Club account information had been illegally accessed.

Cathay has drawn a chorus of criticism for the way it handled the breach. The Hong Kong government also weighed in on Friday, saying it was highly concerned and pressing the airline to cooperate fully with an investigation by the Office of the Privacy Commissioner for Personal Data.

The government said it would jointly review requirements and penalties in the privacy ordinance with the watchdog, and consider steps to enhance data protection.

Speaking on an RTHK programme on Sunday, data protection experts agreed Hong Kong’s privacy law should be revised to require companies to promptly declare data breaches.

Lau Wing-cheong of Chinese University at RTHK’s programme at Victoria Park. Photo: Sam Tsang
Companies operating in Hong Kong or handling citizens data are not required by law to promptly report any data breach. The European Union’s latest General Data Protection Regulation (GDPR) require companies to disclose breaches within 72 hours.

Lau Wing-cheong, an associate professor at Chinese University’s department of information engineering, said a new law might require companies to notify regulators and affected customers “within a reasonable time”.

“Speaking also as a victim [of this breach myself], I think the airline should alert the regulator and seek an extension for the necessary investigation. But it’s absolutely unacceptable people were not notified [until now],” Lau added.


source: SCMP

About Ng Kit

Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat. Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis.