Date: 6 June 2019
Cathay Data Breach Incident
- Personal Data Security & Retention Principles Contravened
- Lax Data Governance
The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Mr Stephen Kai-yi WONG today published an investigation report on the data breach incident of unauthorised access to personal data of approximately 9.4 million passengers of Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited (collectively referred to as Cathay). The Privacy Commissioner found Cathay contravened the data protection principles under the Personal Data (Privacy) Ordinance (Ordinance) relating to personal data security
. The Privacy Commissioner served an Enforcement Notice today to direct Cathay to remedy and prevent any recurrence of the contraventions.
Cathay did not take all reasonably practicable steps to protect the affected passengers’ personal data against unauthorised access in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening Data Protection Principle 4(1) of Schedule 1 to the Ordinance:
Failure to identify the commonly known exploitable vulnerability and the exploitation, and failure to take reasonably practicable steps to accord due deployment of the internet facing server;
Vulnerability scanning exercise for the Internet facing server at a yearly interval being too lax in the context of effectively protecting its information systems against evolving digital threats;
Failure to take reasonably practicable steps not to expose the administrator console port of the Internet facing server to the Internet, as a result of which a gateway for attackers was opened;
Failure to apply effective multi-factor authentication to all remote access users for accessing its IT system involving personal data;
Producing unencrypted database backup files to facilitate migration of data centre without adopting effective security controls, thus exposing the personal data of the affected passengers to attackers;
Failure to have an effective personal data inventory to cover all systems containing personal data; and
Risk alertness being low and failure to take reasonably practicable steps to reduce the risk of malware infections and intrusions to its IT system after the earlier security incident in 2017.
There being no justifiable reasons, Cathay did not take all reasonably practicable steps to ensure that the Hong Kong Identity Card numbers of the affected passengers were not kept longer than was necessary for the fulfilment of the defunct verification purpose for which the data was used, contravening Data Protection Principle 2(2) of Schedule 1 to the Ordinance.
Data breach notification
There being no statutory requirements under the Ordinance for a data breach notification, whether to the Privacy Commissioner or the affected passengers, and whether within a particular period of time or otherwise, the Privacy Commissioner found no contravention of the Ordinance in this connection.
Cathay could have notified the affected passengers of the suspicious activity once detected back in March 2018 and advised them of the appropriate steps to take earlier to meet their legitimate expectation.
The Privacy Commissioner exercised his power pursuant to section 50(1) of the Ordinance and served an Enforcement Notice to direct Cathay to:
Engage an independent data security expert to overhaul the systems containing personal data;
Implement effective multi-factor authentication to all remote users for accessing its IT system involving personal data and undertake to conduct regular review of remote access privileges;
Conduct effective vulnerability scans at server and application levels;
Engage an independent data security expert to conduct reviews/tests of the security of Cathay’s network;
Devise a clear data retention policy to specify the retention period(s) of passengers’ data, which is no longer than is necessary for the fulfilment of the purpose, and undertake to implement effective measures to ensure effective execution; and
Completely obliterate all unnecessary HKID Card numbers collected from Asia Miles membership programme from all systems.
Mr Stephen Kai-yi WONG, the Privacy Commissioner, added:
“The fact that personal data is less tangible than other personalty (e.g. bank notes) or realty does not absolve businesses of their failures to keep it safely and to obliterate it when it is no longer necessary for the fulfilment of the purpose for which the data is or is to be used. To give effect to the legal requirements, there is also an expectation of comprehensive, effective and evidenced privacy compliance policies and programmes being put in place, relevant and scalable for the businesses concerned, as well as demonstrable internally and externally. This legitimate expectation comes from both the customers, who are the data subjects, and the regulators.
“During the investigation, I was mindful of the accuracy and sensitivity, and exercised due care and diligence to ensure that I had the accurate facts on which my investigation and findings were based and that disclosure of these facts could not be potentially exploited or used to compromise Cathay’s information systems security, flight operation and business secrets. It is quite clear that contraventions aside, Cathay adopted a lax attitude towards data governance, which fell short of the expectation of its affected passengers and the regulator.”
The investigation report was published in accordance with section 48(2) of the Ordinance, after having considered that it is in the public interest to do so. It can be downloaded from the image below:
- END –
Notes to Editors
The data breach incident was discovered when Cathay first detected suspicious activity on its network on 13 March 2018.
Upon the receipt of a data breach notification lodged by Cathay on 24 October 2018, in relation to its discovery of unauthorised access to personal data of approximately 9.4 million passengers of Cathay, the Privacy Commissioner initiated an investigation on 5 November 2018.
The data subjects affected were Cathay’s passengers including members of Asia Miles and Marco Polo Club and registered users, from over 260 countries / jurisdictions / locations.
The personal data involved consisted mainly of the affected passengers’ name, flight number and date, title, email address, membership number, address, phone number, etc.
An individual who has credible evidence to prove that he or she has suffered damage, including injury to feelings, by reason of a contravention of the Ordinance in relation to his or her personal data may seek compensation from the data user concerned.