Fresh from belatedly admitting that 9.4 million passengers’ personal data was stolen by hackers, Hong Kong airline Cathay Pacific has now admitted that it was under attack for three solid months before it took half a year to tell anyone.
Cathay Pacific hack: Personal data of up to 9.4 million airline passengers laid bareREAD MORE
In its initial public statement on the hack, which saw names, nationalities, dates of birth, addresses, some people’s passport numbers, email addresses and more heading from its secure servers into the hands of as-yet unidentified miscreants, Cathay said it had detected “suspicious activity” beginning in March 2018.
In a submission made by the airline to Hong Kong’s Legco (its Legislative Council; broadly, the semi-autonomous Chinese territory’s equivalent of Parliament) reveals (PDF, 4 pages), ahead of a Wednesday hearing, Cathay said it knew that in March the “suspicious activity” was a full-scale attack on its servers.
“During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention,” said the airline in its written submission to local legislators.
Cathay has come under fire from various parties for waiting six months before telling the victims that their data had been illegally copied from the airline’s servers. The type of data stolen varied between passengers; only a relative handful (430) of credit card numbers were accessed, including 427 expired cards, it alleged in its Legco submission.
“The two big issues were: which passenger data had been accessed or exfiltrated and, since the affected databases were only partially accessed, whether the data in question could be reconstructed outside Cathay’s IT systems in a readable format useable to the attacker(s). Conclusions on these issues proved difficult and time-consuming and were only reached in mid-August,” added the airline, one of the more high-profile carriers in the Asia-Pacific region.
As an explanation for the delay in telling anyone about the hack, Cathay said it “wanted to be able to give a single, accurate and meaningful notification to each affected passenger, rather than to provide an overly broad and non-specific notice.”
We've asked Cathay for comment.
Local police, as well as legislators, have been notified. The airline has set up a dedicated website for people who think their personal data may have gone walkies. ®