In 2018, aviation’s biggest data breach occurred when the information on 9.4 million customers was stolen from Cathay Pacific.
Strangely, most of the data accessed was about passenger travel plans and very little about financial information. Only 430 credit card details were stolen and most of those were incomplete or out of date.
Hong Kong’s watchdog – The Privacy Commissioner investigated the data breach and accused Cathay Pacific of two contraventions of law in having insufficient regard for data privacy and taking seven months to disclose the breach.
The data stolen consisted of passenger names, flight details, email address, membership number, phone number, date of birth etc. This included passport numbers in 9% of cases and identity numbers in 6% of cases.
The watchdog said Cathay contravened the law on two counts: first, it did not take all reasonably practicable steps to protect data. Second, Cathay retained Hong Kong identity card numbers 13 years after being collected.
Cathay’s investigation concluded there were two distinct groups of hackers. The first group is traced to October, 2014 when keylogger malware was installed to harvest user information and this attack continued until March 2018.
The second attack occurred in August, 2017 and exploited a vulnerability of an internet facing server, (a long standing and well known security risk). This second group made a brute force attack in March, 2018 that resulted in approximately 500 Cathay staff being locked out of their account, according to the report. The last known activity of the attack was on May 11, 2018.
Cathay said that its operations and flight safety systems were not impacted and flight safety was never compromised. Cathay has already made some changes, and said “as the sophistication of cyber attackers continues to increase, need to and will continue to invest in and evolve our IT security systems.”
Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.