Cathay asked to explain data breach that affected 102,209 PH users

The National Privacy Commission (NPC) has ordered Hong Kong-based carrier Cathay Pacific Airways to explain its actions over a data breach in March this year that affected 102,209 users from the Philippines.

In an order dated October 29, the data privacy agency threatened to prosecute local officials of the airline for their apparent failure to notify timely the NPC on the occurrence of the data breach.

It was on May 7 that Cathay’s forensics investigators confirmed an unauthorized access to the information system within the company. Cathay was able to determine that data were accessed or exfiltrated by still unknown individuals.

Aside from the personal data of passengers of Cathay and its budget subsidiary Hong Kong Dragon Airlines, personal data of members of Cathay’s frequent flyer program, Asia Miles, were also affected.

Cathay determined the Philippine nationality of those compromised in the attack through Philippine passport details, Philippine addresses, and telephone numbers.

From their analysis, some 102,209 Philippine data subjects had their data compromised, with roughly 35,700 passport numbers and 144 credit card numbers from the Philippines exposed.

“On the surface, there appears to be a failure on the part of Cathay to report to this Commission what it knew about the data breach at the time it confirmed unauthorized access, and what the affected data fields are,” the NPC said.

“Cathay’s term, ‘very recently’, does not establish any timeline through which we may determine the timeliness of the report dated 25 October 2018,” it added.

The agency also said the remediation measures undertaken by Cathay did not meet the specificity of notifications required under the law.

The NPC said it is therefore “necessary to require Cathay to explain, in writing, why Cathay and its responsible officers should not be prosecuted under the provisions of the Data Privacy Act of 2012 for concealment of security breaches involving sensitive personal information.”

Comment on this post