Further to a media statement dated 25 October 2018 on Cathay Pacific Airways Limited (Cathay Pacific) data breach incident, having considered the latest information obtained, the Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Mr Stephen Kai-yi WONG, is, after the compliance check initiated upon receipt of the data breach notification, of the view that there are reasonable grounds to believe that there may be a contravention of a requirement under the law and decides today (5 November) to commence a compliance investigation against Cathay Pacific, and its wholly owned subsidiary, Hong Kong Dragon Airlines Limited, pursuant to section 38(b) of the Personal Data (Privacy) Ordinance (the Ordinance).
Mr Wong said, “The compliance investigation is going to examine in detail, amongst others, the security measures taken by Cathay Pacific to safeguard its customers’ personal data and the airline’s data retention policy and practice.” The Privacy Commissioner is empowered under the Ordinance to summon witnesses, enter premises, require them to furnish to him evidence, and carry out public hearings in the course of a compliance investigation.
Mr Wong reiterated, “A compliance check preceding a compliance investigation, being an established policy and practice in the office of the Privacy Commissioner for Personal Data (PCPD) in accordance with the Ordinance has nothing to do with, let alone derogating, the stringency of determining a contravention. It is entirely incorrect and irresponsible to suggest that after a compliance check, the process of compliance investigation will automatically stop. Any message to the public purported to suggest that the PCPD will not carry out a detailed compliance investigation of the reported incident at the earlier stage is ill-informed, misleading and irresponsible.”
Earlier today, Cathay Pacific responded in writing to the Privacy Commissioner’s request for information in the compliance check, which was initiated by him on 25 October 2018, the day after Cathay Pacific publicly announced and notified him that there had been unauthorised access to a vast amount of personal data of its customers. Having considered the latest information from Cathay Pacific, the Privacy Commissioner has decided to commence a compliance investigation to ascertain whether there is any contravention of a requirement under the Ordinance.
As at 5:00pm today (5 November), the office of the Privacy Commissioner has received 108 enquires and 89 complaints relating to this data breach incident.