Cathay Pacific, one of the world's largest airlines with a fleet size nearing 150 and operations in over 60 countries, has releaved that the massive data breach it suffered earlier this year lasted for months before it was discovered and contained.
In a statement issued last month, the airline announced that hackers had gained unauthorised access to passenger data of up to 9.4 million people and such data included passenger names, nationality, dates of birth, phone numbers, emails, addresses, passport numbers, identity card numbers, frequent flyer programme membership numbers, customer service remarks, and historical travel information.
In addition, the hackers had also gained access to 403 expired credit card numbers and 27 credit card numbers without associated CVV numbers.
"We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.
"We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.
"We want to reassure our passengers that we took and continue to take measures to enhance our IT security. The safety and security of our passengers remains our top priority," said Rupert Hogg, chief executive officer of Cathay Pacific.
Hackers accessed passenger data for several months
According to Bloomberg, Cathay Pacific has informed Hong Kong's legislature this week that the unauthorised access to its passenger records was at its most intense between March and May this year and even though such attacks diminished in the following months, they continued to take place. The airline has expressed concern that similar attacks could be mounted in the near future.
"Cathay is cognizant that changes in the cybersecurity threat landscape continue to evolve at pace as the sophistication of the attackers improves. Our plans, which include growing our team of IT security specialists, will necessarily evolve in response to this challenging environment," the airline said.
The statement was issued by Cathay Pacific shortly after Hong Kong's privacy watchdog announced an investigation into the massive data breach that compromised personal data of millions of people, even though the airline has maintained that there is no evidence of such data being misused.
Commenting on Cathay Pacific's statement, Ilia Kolochenko, CEO and founder of High-Tech Bridge, said that Cathay's “no evidence of misuse” practically means nothing. Worse, it may mean that someone very smart is exploiting the data in an untrivial way, and probably very detrimental for the victims. Moreover, the stolen data can appear for sale on the Black market at any time.
"Taking into consideration the gravity of the breach, customers of Cathay will likely have no reliable recourse apart from promptly changing all their credit cards and IDs. Cathay may face numerous class actions and individual lawsuits from disgruntled customers, in parallel with severe monetary sanctions imposed by regulators from different countries," he added.
Organisations nowhere close to securing customer data
Nobody is going to have perfect security and breaches will happen, but as insiders and external actors get more sophisticated, organisations have to be able to do a better job of detecting suspicious activity quickly and reducing the time it takes to investigate an incident," said Brian Vecci, Technical Evangelist at Varonis.
"Months went by between when this attack was apparently noticed and when investigators figured out sensitive data might have been stolen, and then almost half a year passed before it was announced. That’s unacceptable and highlights just how far behind the eight ball most organisations are when it comes to threat hunting and incident response.
"It’s a scenario that has played out again and again: Companies lack context to separate the signal from the noise, and InfoSec teams are stuck trying to find what’s essentially a needle in a stack of needles. They can’t get a complete picture of an attack, don’t know if anything sensitive was lost or stolen, and are clearly missing the mark when it comes to securing the records of some of their most loyal customers.
"This also highlights the need for strict privacy regulations that include breach notification requirements and data minimisation. Consumers deserve to know immediately if something bad has happened to their private information and what’s been deleted—or it should not be collected in the first place and can’t be stolen," he added.