Cathay Pacific data breach – worse than BA…

Back to Forum

Tagged: ,

This topic contains 46 replies, has 14 voices, and was last updated by  stevescoots 16 Nov 2018
at 01:28
.

Viewing 15 posts - 1 through 15 (of 47 total)

  • Derek1948
    Participant

    Having just read about a data breach by CP affecting 9million plus people that happened in March, I wonder what the comments will be about this, compared to the vitriol hurled at BA?
    Just asking?


    stevescoots
    Participant

    According to CX it was over 9 million passport numbers and HKID numbers, but CC details were just a few hundred expired ones. I dont see this in the same light as BA, anyone who travels is always giving out passport details every time the check into a hotel so chances are all our PP details are out there somewhere, its the card details that are of concern


    IanFromHKG
    Participant

    According to CX it was over 9 million passport numbers and HKID numbers, but CC details were just a few hundred expired ones. I dont see this in the same light as BA, anyone who travels is always giving out passport details every time the check into a hotel so chances are all our PP details are out there somewhere, its the card details that are of concern

    Except that according to CX’s own website, the information accessed was “passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks and historical travel information”.

    That is one helluva lot of information and seems to be more than enough information to indulge in some comprehensive identify theft. And the worst bit? This data was accessed IN MARCH!! Seven months ago!!! And they are only telling people about it now!!!!

    In fact I still don’t know whether my family or I are affected because CX say “we will contact [affected customers] individually in the coming days”, meaning they haven’t even informed individuals yet. And the hotlines don’t open until this afternoon. And if you try to click on the link in the website to register for a check on whether you are affected, it doesn’t work.

    Complete and utter b****y shambles and as you can imagine I am absolutely furious. We already went through the whole process of cancelling our UK credit cards over the summer because of the BA data breach (the Memsahib was a victim of that) which was a right pain in the arse, and now, although our credit cards shouldn’t be affected, a whole raft of our personal information may – or may not, I still can’t tell! – have been leaked.

    I hope they get prosecuted and an absolutely massive fine, and that the persons responsible for the IT systems in question AND for the decision not to make an immediate announcement being given the boot. CX can hardly fail to be aware of the fact that responsible companies disclose this sort of issue promptly and clearly made a decision not to – one can only wonder why, and what has triggered the disclosure now.


    FDOS_UK
    Participant

    IanFromHKG

    I hope they get prosecuted and an absolutely massive fine, and that the persons responsible for the IT systems in question AND for the decision not to make an immediate announcement being given the boot. CX can hardly fail to be aware of the fact that responsible companies disclose this sort of issue promptly and clearly made a decision not to – one can only wonder why, and what has triggered the disclosure now.

    Thankfully, I’m not affect by this one, but I agree with your sentiments and as I’m affected by the BA breach, can empathise with what you are going through.

    Derek1948

    Having just read about a data breach by CP affecting 9 million plus people that happened in March, I wonder what the comments will be about this, compared to the vitriol hurled at BA?

    Why is a comparison necessary? Both are very serious breaches – unfortunately the CX breach will not fall under the GDPR regime, which has the teeth to take serious action and the wait from March to inform people just shows why legislation is needed.

    Or is it an auto-suggestion that BA is not so bad, because they ‘only’ lost 380k records? Having been affected by the BA breach, I am having to scan my credit rating regularly and look for signs of card and other fraud – so I am not going to accept that BA is relatively better, they have let me down and I am looking forward to seeing the ICO and the class action punish them for this – the wheels of justice grind slowly, but grind fine.

    In my experience, BA fanbois love to benchmark against worst practice, to have a reassuring sense that their airline is okay. That’s called denial in the real world. Just sayin’.


    stevescoots
    Participant

    According to CX it was over 9 million passport numbers and HKID numbers, but CC details were just a few hundred expired ones. I dont see this in the same light as BA, anyone who travels is always giving out passport details every time the check into a hotel so chances are all our PP details are out there somewhere, its the card details that are of concern

    Except that according to CX’s own website, the information accessed was “passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks and historical travel information”.

    That is one helluva lot of information and seems to be more than enough information to indulge in some comprehensive identify theft. And the worst bit? This data was accessed IN MARCH!! Seven months ago!!! And they are only telling people about it now!!!!

    In fact I still don’t know whether my family or I are affected because CX say “we will contact [affected customers] individually in the coming days”, meaning they haven’t even informed individuals yet. And the hotlines don’t open until this afternoon. And if you try to click on the link in the website to register for a check on whether you are affected, it doesn’t work.

    Complete and utter b****y shambles and as you can imagine I am absolutely furious. We already went through the whole process of cancelling our UK credit cards over the summer because of the BA data breach (the Memsahib was a victim of that) which was a right pain in the arse, and now, although our credit cards shouldn’t be affected, a whole raft of our personal information may – or may not, I still can’t tell! – have been leaked.

    I hope they get prosecuted and an absolutely massive fine, and that the persons responsible for the IT systems in question AND for the decision not to make an immediate announcement being given the boot. CX can hardly fail to be aware of the fact that responsible companies disclose this sort of issue promptly and clearly made a decision not to – one can only wonder why, and what has triggered the disclosure now.

    I stand corrected, i didnt read the CX website. that is a major breach and can lead to total identity theft, as bad if not worse than the BA loss


    IanFromHKG
    Participant

    Well, I have received the email, and I am one of the affected people. My name and title, nationality, email, ID number and telephone number have been compromised – not my address or date of birth, but I suspect still enough for identify theft to have occurred. No mention of credit card information, which is something. My family are scattered around the planet at the moment so I don’t know yet if they have been affected as well.

    The email also contains an update on timing – they “discovered suspicious activity on our network in March” and although the email says they “took immediate action to contain the event [and] to commence a thorough investigation” they go on to say that”nauthorised access to certain personal data was confirmed in early May” – so it still took them weeks to work out that personal data was compromised. Since May, apparently, “analysis of the data has continued in order to identify affected individuals and to determine whether the data at issue could be reconstructed”. Given the number of people affected (9.4 million) perhaps that explains why it has taken them this long to tell anyone. The other interesting part about that last extract was the reference to reconstructing the data – which makes me wonder whether their database was corrupted as well as hacked into.

    They are also offering a free 12-month ID monitoring service to affected passengers, which I will certainly use.


    Tom Otley
    Keymaster

    Sorry to hear about your trouble on this one

    Cathay Pacific shares slide to nine-year low as data leak rattles investors

    “….Cathay said late on Wednesday that in addition to 860,000 passport numbers and about 245,000 Hong Kong identity card numbers, the hackers accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).”


    CrazyCanuck
    Participant

    Hi everyone,

    The unfortunate reality is that overtime we use our cards we are giving information across to parties that maybe raided/hacked sometime in the future. This is the reality of the data age. How can it be stopped…we can all debate…..but robbers will always try and law enforcement will always try to stop. Recipients of data must try to do better, even if we know they may fail.


    canucklad
    Participant

    Sadly, it’s a sign of the times……

    And we could argue until the proverbial cows, that it’s our own fault , for choosing to trust corporations with information we’d probably not share with some of our best friends.

    And all to save a couple of minutes of time, every time we book online……

    I am as guilty as hell of this complacency…..

    At least 7 airlines have some data, 5 have the same amount as Ian is talking about, including CC details.
    My corporate travel booking company has everything, including an auto-verification when I pay for my travel.
    Umpteen grocery/high street stores also hold my details.
    Utility companies, my bank, online shopping sites and stuff I’ve not remembered, like Hearts ticket office, the fringe ticket office…….

    It’s scary stuff, and here’s a thought, unless you’ve been living on the moon for the last few years , you know that there are very sophisticated criminal networks (possibly state backed) carrying out these crimes without seemingly impunity .

    Not sure if I can recall one single successful prosecution?

    And to add to my guilt I know for my laziness I’m probably allowing these (some) conglomerates to sell on my information, of which I get no recompense !!

    For me, what made BA’s worse, but not by much was the CVv number were held as well !!


    CathayLoyalist2
    Participant

    I to got the email this morning from CX and like IanHKG will use the monitoring service. One thing I never do is check the box when paying which states “do you want your credit card payment details stored”? As others have said in a world where we release personal information regularly the risks increase


    FDOS_UK
    Participant

    Sadly, it’s a sign of the times……

    And we could argue until the proverbial cows, that it’s our own fault , for choosing to trust corporations with information we’d probably not share with some of our best friends.

    And all to save a couple of minutes of time, every time we book online……

    I am as guilty as hell of this complacency…..

    At least 7 airlines have some data, 5 have the same amount as Ian is talking about, including CC details.

    My corporate travel booking company has everything, including an auto-verification when I pay for my travel.

    Umpteen grocery/high street stores also hold my details.

    Utility companies, my bank, online shopping sites and stuff I’ve not remembered, like Hearts ticket office, the fringe ticket office…….

    It’s scary stuff, and here’s a thought, unless you’ve been living on the moon for the last few years , you know that there are very sophisticated criminal networks (possibly state backed) carrying out these crimes without seemingly impunity .

    Not sure if I can recall one single successful prosecution?

    And to add to my guilt I know for my laziness I’m probably allowing these (some) conglomerates to sell on my information, of which I get no recompense !!

    For me, what made BA’s worse, but not by much was the CVv number were held as well !!

    As I understand it, the CVV was not held, but was captured during the transaction (along with other info), so it did not matter if one had saved the credit card details or not, they were taken from the transaction, not from the database.

    So no need for self flagellation – it would have happened, anyway.


    stevescoots
    Participant

    I also never tick the box to maintain my card details, not for any purchace.

    Call me cynical but why do i feel the Chinese state backed hackers hand in this….some very nice data for state airlines to play with, expect to see the spam from them coming through thick and fast, and the state its self as far as the HKID’s are concerned


    IanFromHKG
    Participant

    The Memsahib is very nervous about providing bank account details over the internet, but as I occasionally have to point out to her, there is often no more information provided than you would find on the face of a cheque.

    In the case of a credit card, pretty much ditto – there is nothing to stop the payee from turning the card over and memorising the CCV.

    I think we all have to accept that the modern world and its payment systems involve a degree of risk, and we can only seek to control it up to a point. That means, for example, not letting a shopkeeper take your credit card out of sight (where it could be cloned). However, any online transaction requires entry of payment information. At that point you have to have a certain amount of trust in the systems of your card company AND the merchant. In this case, CX, as the merchant, have badly let down their customers.

    To date I, the Memsahib, and Junior Offspring (who is a minor so I know this because emails relating to her Asia Miles account go to the Memsahib) have all received emails confirming that our data has been compromised.

    The monitoring service CX have offered gave me some reassurance, when I first entered my details, since it confirmed no hits. However, a couple of days later, it scared the cr*p out of me by declaring they had a hit – however, it turned out that was from my LinkedIn account and was a reference to an old business email address from my former employer. Well, you know what, any reference I had on LinkedIn to that email account hasn’t changed since I was made redundant by that company four years ago, so the original report was quite clearly unreliable. Now I no longer trust the monitoring service…

    Cathay have recently being doing quite well in re-earning my loyalty (they gave me a new Diamond Card in the summer despite my falling well below the qualifying threshold) and I will re-earn a Diamond card during this membership year, based on planned travel. However – this is a very serious breach and I do strongly feel that Cathay should have done, and should be doing, much much better.


    IanFromHKG
    Participant

    I’m surprised there hasn’t been more activity on this thread. But then I was also astonished to read this morning in the South China Morning Propaganda that Hong Kong’s privacy commissioner has received just 24 complaints about this. 24!!!! So I account for more than 4% of all complaints in Hong Kong (and it’s not as though it’s difficult to do, it took me about ten minutes). Perhaps it is because we live in a police state (let it not be forgotten that Asia’s Finest have the power of random stop-and-search) and we are so accustomed to authority figures trampling over our “rights” that mass apathy has kicked in. It’s really quite depressing.

    I was much heartened to see a link in an internal knowhow bulletin email (we get a couple of emails each day with links to external articles that might be of interest) to an article about a law firm trying to set up a class action for data breaches – but it turned out they are in the UK and Australia, where of course the laws are different. Sigh.


    GivingupBA
    Participant

    I’m surprised there hasn’t been more activity on this thread.

    Me too, Ian. But I also just got the email from Cathay Pacific (who I often fly on) listing what information of mine was pinched (“Address / Name / Nationality / Title”) and saying how sorry they were about it – I wish they’d put that much effort into safeguarding my stuff, although at least my cards are not compromised – in my case, that would worry me more.

    Ian, thanks for your helpful posts on the topic and best wishes. Like you, as you said, I “strongly feel that Cathay should have done, and should be doing, much much better.”

Viewing 15 posts - 1 through 15 (of 47 total)
You must be logged in to reply to this topic.
Be up-to-date
Magazine Subscription
To see our latest subscription offers for Business Traveller editions worldwide, click on the Subscribe & Save link below
Polls