Cathay Pacific has announced a data breach affecting 9.4m passengers. The key details are as follows
- 4 million passengers of Cathay and its unit Hong Kong Dragon Airlines Limited had been accessed without authorization
- 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed (no passwords compromised)
- Data includes names of passengers, their nationalities, dates of birth, telephone numbers, email and physical addresses, passport numbers, identity card numbers and historical travel information.
- Suspicious activity was discovered in March, and the loss of personal information was confirmed in May
Industry leaders reacted below as part of our expert comments series.
Tim Helming, Director of Product Management at DomainTools:
“This amount of personal data being breached will undoubtedly make a contribution to further cybercrime in the future. The details released are the most valuable type of PII: more than enough for cybercriminals to target victims via spear phishing ransom campaigns, or to simply steal identities for financial gain. The affected customers would be advised to change passwords to sensitive accounts as soon as possible and keep an eye out for any unusual email traffic or financial activity. This type of breach is wearyingly common; companies simply need to do better when protecting our data.”
Sam Curry, Chief Security Officer at Cybereason:
“The Cathay Pacific breach is a clear indication that the airline industry has a target on its back, given that British Airways and Air Canada have also been in the news in recent months for material breaches of customer data and personal information. In the bigger picture, it would be premature to speculate on the overall damage to Cathay’s customers and the airline itself. Passengers that travel with Cathay should assume their personal information has already been stolen many times over and it is unfortunately the reality facing billions of people in the connected world we live in. Collectively, black hat hackers are patient and their persistence means they are likely to be successful 100 percent of the time when they attempt to breach a system. This stacks the cards against the defenders, meaning that Cathay and the airline industry as a whole needs to rethink their strategy around network detection and start taking the fight to the hacker by going on the offensive with more advanced technologies and services that will stop threats before they can materialise.”
Ryan Wilk, Vice President at NuData Security:
“Data in the wrong hands – especially payment card information – can have a huge impact on customers, far beyond the unauthorised use of their cards. Payment card information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the internet and in the physical world. Using these identities, and sometimes fake identities build from valid data, they’ll take over accounts, apply for loans, and much more. Every hack has a snowball effect that far outlasts the initial breach.
All customer information is valuable to fraudsters. Name, physical and email addresses, passwords, the content of emails. We must change the current equation of “breach = fraud” by changing how we think about online identity verification. To prevent post-breach damage, we need to make stolen data valueless.
Multi-layered technology that thwarts fraud exists right now. Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their personally identifiable information. This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behaviour.
Analysing customer behaviour with passive biometrics is completely invisible to users. It has the added benefit of providing valid users with a great experience without the extra friction that often comes with other customer identification techniques. When fraudsters try to use stolen customer data or login credentials, they will find the data is useless.
The balance of power will return to customer protection when more companies implement such techniques and technology.”
Ted McKendall, CTO at Trusted Knight:
“This is a catastrophe of a data breach, which makes British Airways’ leak last month look trivial by comparison. What is staggering here is firstly, the sheer volume of passengers affected – 9.4 million people is greater than the population of many countries; secondly, the nature of the data that has been accessed; and thirdly, how long it took the airline to alert customers. There are no details of how the breach was executed yet, but I can only assume that the extreme delay between identifying the breach and notifying customers is because the airline was trying to patch its systems first.
“While the airline has been quick to assure customers that only a small amount of financial information has been leaked, the data that has been leaked is more than unsettling. The passport information of passengers on the dark web will have an extremely high price tag. Much of this information – names, dates of birth, email and physical addresses – could be used to conduct further attacks against passenger’s other accounts as often these details are enough to bypass security. However, sadly that’s not the worst of it. All those serious affected will have to be on the lookout for identity fraud, and this shows just how serious cyber crime has become. We inherently trust a multitude of companies will our details but we can not get them back once they are taken.”
David Emm, Principal Security Researcher at Kaspersky Lab UK:
“This is now the fourth airline to announce that they have suffered a data breach this year, following data leaks at Delta Airlines, Air Canada and, more recently, British Airways. Customers that entrust private information to the care of any online provider, including airlines, should be safe in the knowledge that their data is being kept in a secure manner. Cathay Pacific is an established and trusted airline provider, and this morning’s news that the personal data of 9.4 million passengers has been leaked suggests that the security solutions in place weren’t strong enough. However, it’s good to see that Cathay Pacific has taken the necessary precautions of informing its customers in response to this breach.
“Whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures that businesses can take in order to provide thorough protection. These measures include running fully updated software, performing regular security audits on their website code and penetration testing their infrastructure. It’s crucial that businesses ensure that all passwords are protected using secure hashing and salting algorithms and the best way for an organisation to combat cyberattacks is to put in place an effective cybersecurity strategy before they become a target. Consumers may soon lose the trust of airlines if breaches keep occurring, so it is vital that airline organisations ensure that they have efficient solutions in place.”
Etienne Greeff, CTO and Co-founder at SecureData:
“Another day, another high-profile organisation covering up a security incident. In the firing line this time is Hong Kong airline carrier Cathay Pacific, who has suffered a breach affecting up to 9 million customers. As we saw with Google + earlier this month, this is a classic example of the unintended consequences of regulation. By forcing companies to comply with tough new processes and rules, businesses are forcibly going to hide breaches and hacks purely out of fear of being caught out by hefty fines and significant reputational damage.
Credit is due to Cathay Pacific for setting up a dedicated website and call centre for potentially impacted customers. But this doesn’t excuse the fact that this breach was first detected in March and has only now been disclosed.
Unfortunately, we’re likely to see organisations continue this behaviour – attempting to cover up significant incidents –, as they regard customer data as their own, without any kind of acknowledgement on the impact it could have on their own customers. The reality is that our identities are our own, and the ownership of these identities never passes to the company. They are merely custodians of identities for the simple purpose of conducting business transactions. If our personal details are compromised and we aren’t informed of it when it happens, we can’t take action to defend ourselves, and that is indefensible.”
Rachel Aldighieri, MD at DMA:
“Under the new GDPR regulations, brought into UK law in May’s Data Protection Act 2018, the penalties available to the ICO could have been even more severe – 4% of an organisation’s global annual turnover or €20m, whichever is higher. However, the potential impact of data breaches and privacy concerns like this go far beyond the monetary penalties, the long-term effects on customer trust, share price and public perception of breaking the law could be even more damaging in the long run.
“All businesses must be upfront and transparent about how they collect and use their customers’ data. The benefits of sharing data must also be clear and the consumers must be in control. We know people want this – research the DMA conducted earlier this year found 88% of people in the UK want more transparency around how their data is used. We outline how businesses can do this in our own Code, which calls for all DMA UK members to be accountable for how they use personal data. This is a key challenge that all businesses need to address if they are to build trust with consumers and long-term relationships that can benefit both the business and the customer.”
Sam Curry, Chief Security Officer at Cybereason:
“The Cathay Pacific breach is a clear indication that the airline industry has a target on its back, given that British Airways and Air Canada have also been in the news in recent months for material breaches of customer data and personal information. In the bigger picture, it would be premature to speculate on the overall damage to Cathay’s customers and the airline itself. Passengers that travel with Cathay should assume their personal information has already been stolen many times over and it is unfortunately the reality facing billions of people in the connected world we live in. Collectively, black hat hackers are patient and their persistence means they are likely to be successful 100 percent of the time when they attempt to breach a system. This stacks the cards against the defenders, meaning that Cathay and the airline industry as a whole needs to rethink their strategy around network detection and start taking the fight to the hacker by going on the offensive with more advanced technologies and services that will stop threats before they can materialise.”
Tim Helming, Director of Product Management at DomainTools:
“This amount of personal data being breached will undoubtedly make a contribution to further cybercrime in the future. The details released are the most valuable type of PII: more than enough for cybercriminals to target victims via spear phishing ransom campaigns, or to simply steal identities for financial gain. The affected customers would be advised to change passwords to sensitive accounts as soon as possible and keep an eye out for any unusual email traffic or financial activity. This type of breach is wearyingly common; companies simply need to do better when protecting our data.”
Paul Bischoff, Privacy Advocate at Comparitech:
“While the Cathay Pacific breach is unfortunate, it seems no usable payment information was breached according to the company’s statement. I would like to know a bit more about the nature of this database and what it was used for. It’s strange that among 9.4 million passengers affected, only a few hundred had any credit card details attached.
I’m not familiar with Hong Kong’s ID card system, so I won’t comment on the impact of that information being leaked. While it’s not ideal for criminals to know your passport number, it’s typically not sufficient for a criminal to steal your identity, break into your accounts, or commit fraud in your name.”
Stephen Burke, Founder and CEO at Cyber Risk Aware:
“Yet again, this breach shows that data hasn’t been secured properly. Credit card data should never be stored in plain-text and must always be encrypted – so the fact that this been accessed implies that it hasn’t been.
At this moment in time, we’re unaware of how the initial breach occurred – if this draws parallels to BA, where unpatched systems were publicly accessible and then exploited as a result. This then implies that, not only was data security not thought out properly, but the basics of maintaining and patching systems as well as monitoring the network to identify abnormal behaviour was not being carried out. The fact it took six months for the airline to flag this to its customers also shows a lack of incident response process.
This highlights that large organisations who have sensitive data that are of systemic importance to the travel industry are not investing in the right security measures and is causing issues for customers on a personal level with financial losses and privacy being affected.
This paints a picture that security hasn’t been thought of in the organisation and has paid the price financially with its shares sliding to a nine year low after the announcement.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.