Cathay Pacific data breach – worse than BA…

Back to Forum

Tagged: ,

This topic contains 46 replies, has 14 voices, and was last updated by  stevescoots 16 Nov 2018
at 01:28
.

Viewing 15 posts - 16 through 30 (of 47 total)

  • TonyR
    Participant

    If you are concerned about CC details there are services out there that give you a one time disposable online CC to use for the exact amount of the transaction. If someone gets hold of it they haven’t got your CC details and they can’t charge anything to it. It integrates seamlessly in so when you get CC fields to fill in one click can generate a CC number, CVV etc on the fly for you. I use Blur which is also a password manager but there are others out there. HTH.


    cwoodward
    Participant

    The below from todays SCMP I feel adds some balance to what has been at times a considerable over reaction both on this forum and elsewhere.
    For the past week or so the SCMP has run several pieces aimed at inflaming a the views a largely uninterested Hong Kong readership yet today has prominently featured
    the below from a regular contributor Richard Harris

    https://www.scmp.com/comment/insight-opinion/united-states/article/2171162/why-cathay-pacifics-handling-its-data-breach

    Last evening at a function we were a table of 14 HK based business people, mostly local locals who all travel to a greater or lesser extent with Cathay. None were remotely alarmed by this contained data breach. Slightly annoyed yes but nothing more with all considering that this could happen to any large business that needs to gather a good deal of personal information with some considering Cathay’s IT systems to be robust in that almost no useable data that was not readily available from other sources had been accessed by this aggressive breach.


    IanFromHKG
    Participant

    some considering Cathay’s IT systems to be robust in that almost no useable data that was not readily available from other sources had been accessed by this aggressive breach.

    With respect, I wholeheartedly disagree. The suggestion that CX’s systems were robust is an obvious fallacy. That this particular hack did not compromise other data does not detract from the fact that CX’s systems were not robust enough to stop an enormous data leak – to praise Cathay for not losing more is utterly ridiculous. And while Mr Harris’s data leak was limited to his name, Hong Kong ID, nationality, phone number and title (which is bad enough), let us not pretend that that was the limit of the breach, as other individuals had much more information leaked. It isn’t hard to imagine that someone with that information could plunder a customer’s FF miles, apply for a credit card (and wreck that person’s credit history), use the information to change a person’s email password and access their email account, and much worse besides.

    I do not think that any of the views expressed on this forum represent an over-reaction – in fact as one of the most vociferous posters on this subject I take that as a personal insult.

    However, since you suggest that this information can readily be accessed elsewhere, and that the leak is nothing to be alarmed about, I would ask that you have the courage of your convictions, and post on here – for the world to see – all the personal information about you that CX might have leaked. To make it easy for you to cut and paste the list and add your personal information in your reply, here is the list of what you should publish:
    Name:
    Nationality:
    Date of birth:
    Phone number:
    Email address:
    Address:
    Passport number:
    Identity card number:
    Frequent flyer programme membership number:
    Historical travel information:

    I would add that there is another bit of information that CX have also leaked but I haven’t added it to this list because you may not have ready access to it – “customer service remarks”. Although you can, of course, do a data access request, and then publish that information here as well.

    If you do not publish this information then I will be forced to the conclusion that you don’t want that data in the public domain. Well, you know what, cwoodward? I didn’t want my own information in the public domain, but CX put it there, and I am very, very unhappy about it.


    FDOS_UK
    Participant

    The below from todays SCMP I feel adds some balance to what has been at times a considerable over reaction both on this forum and elsewhere.

    That is one of the most stupid and inappropriate articles I have read for a long time.

    1 user thanked author for this post.

    stevescoots
    Participant

    terrible article, the the business leaders there probably downplayed it for fear of sounding hypocritical should their own systems get hacked. As for the SCMP, since it became a mouthpiece of Jack Ma and the party it has does more CX bashing than this forum on BA, because they see it as a colonial hangover as Swire is still the largest shareholder. There was a respite in their vitriol when it looked like it might get taken over by either a Chinese fund or carrier but once Swire said no, back to the usual party line

    4 users thanked author for this post.

    cwoodward
    Participant

    Ian, again with respect.

    Personally insulted by my post ! Surely a little OTT in the heat of the moment ?

    I have not the least problem with you disagreeing with my view of the incident and what is also evidently is the view of most Cathay FFs but I cannot for the life of me understand why you are so cross to the point of making the ridiculous suggestion that I publish my personal information on a public forum and pretending this to be an action in any way the parallel or equivalent to the contained data breach being debated here.
    To advance this as a serious suggestion is just silly and undermines to a point of collapse your other more sensible views and arguments.

    I would like to pose you a couple of questions as it has become clear to me that this is an area of much interest to you and one to which you appear to have certain knowledge not generally available.
    In your post you make the very strong claim that the Cathay system was not robust. How can you properly justify this claim when it is becoming common knowledge that all systems are to a greater or lesser extent vulnerable.
    Was the Cathay breach more damaging than the BA breach. Is the Cathey system less robust or more robust than those of other airlines or banks.
    You infer that you are aware of systems collecting similar information that you know with some personal confidence to be superior and more robust. I am very interested to hear your informed view and perhaps you would be good enough to name some that you honestly know to be ‘hack proof’ and why so..

    While I cannot find not even a hint of a report of anyone’s information entrusted to Cathay being used to the dire consequences that you confidently predict perhaps you are and if so perhaps you would kindly list them below should you become aware of any now or in say the next 12 months..
    To make this task a little easier for you I have below listed the areas of information that would be useful. Please feel free to add others.

    Nationality:
    Frequent flyer program:
    Historical travel information:
    Date information accessed:
    Who was the information accessed by:
    How accessed:
    Amount of loss:
    Amount recovered:
    Amount of personal damage caused:
    Action taken:

    Ian, I have read and often been in agreement with the views that you have advanced on this forum although I do not myself have the time to post often. However I do strongly disagree with your views on this and to a lesser extent to what I consider to be the needlessly aggressive way that they have been presented in your last post.
    I have advanced my view on the incident and will properly argue my corner but I hope express these views in a rather more pleasant way than you are tending now to do.


    FDOS_UK
    Participant

    cwoodward

    IanfromHKG has a long history or making reasonable and intelligent posts. As such he commands the respect of many members – I hold him in very high regard

    You, on the other hand, do not have the same history and your posts on this thread come across as being apologist for security breaches by large corporates.

    Maybe in HK you do not have the same awareness of data protection or the same legislation we have in Europe, but your view comes across to me as hopelessly out of touch and complacent.


    Flightlevel
    Participant

    Recently went to my asiamiles account that has its own unique password and didn’t recognise my ‘phone number (I have four in different countries).
    Refused to book flights for me and said had to change ‘phone number via the email account used when opened asiamiles 10+ years ago – no idea what one!
    They are more suspicious of regular customers than crooks gaining the data of those millions of customers.


    IanFromHKG
    Participant

    Unfortunately there seemed to be a forum glitch when I tried to post my reply to cwoodward. I have since then tried multiple times to post it but this gets rejected on the basis that it is a duplicate post even though my original response never appeared. Here’s hoping that this entirely different post will clear the server’s cache and I can then repost the original reply. If it doesn’t appear immediately after this one, you will know the tactic failed, in which case I will contact BT and ask them to add my response.


    IanFromHKG
    Participant

    Ian, again with respect.
    Personally insulted by my post ! Surely a little OTT in the heat of the moment ?

    Funny you should say that, cwoodward. I thought quite hard about that wording when I wrote it, as I realised it was at the strong end of my range of feelings, but then I checked back through the emails and realised that with the small number of participants and, as mentioned, the fact that I was the most vociferous, your reference to there having been “a considerable over reaction … on this forum” was, indeed, insulting to me. Perhaps that wasn’t your intention, but it is the way that it came across.

    I cannot for the life of me understand why you are so cross to the point of making the ridiculous suggestion that I publish my personal information on a public forum and pretending this to be an action in any way the parallel or equivalent to the contained data breach being debated here.
    To advance this as a serious suggestion is just silly

    No less silly, I think, than suggesting that “almost no useable data that was not readily available from other sources had been accessed by this aggressive breach”. The point of my challenge to you was precisely to demonstrate the fallacy in that statement. If you believe in what you wrote, then the logical conclusion is that you accept that all this information about you is readily available from other sources. In that case, cwoodward, why not accept the challenge – after all, it can’t possibly expose you to any risk that you don’t already have, can it? That is, of course, a rhetorical question, but your assertion that the challenge was ridiculous only goes, I suggest, to undermines your own argument far more than it undermines mine. I never expected you to accept the challenge, because the idea that you would deliberately put that information in the public domain is indeed ridiculous. What I continue to struggle with is the idea that I and 9.4 million other people should be completely sanguine about the fact that CX has allowed just that to happen to our own information. In this instance you have exercised a choice not to publish that information. CX took that decision away from me.

    In your post you make the very strong claim that the Cathay system was not robust. How can you properly justify this claim when it is becoming common knowledge that all systems are to a greater or lesser extent vulnerable.
    Was the Cathay breach more damaging than the BA breach. Is the Cathey system less robust or more robust than those of other airlines or banks.

    It is true that I contradicted you when you asserted that CX’s systems were robust, but I immediately followed that by saying “that CX’s systems were not robust enough to stop an enormous data leak” (slightly different from saying they weren’t robust at all). I absolutely stand by that statement, in fact I think you would find it hard to deny that it is objectively true. I do, of course, accept that other businesses – and governments – do not have invulnerable systems. I have looked back at my posts and don’t think I made any suggestion to the contrary. I also didn’t draw any comparison as to the relative seriousness of the CX and BA breaches (all I did was say that the BA breach had personally affected us and been a major nuisance) nor as to the relative robustness of CX’s systems compared to others – that is not an area I am qualified to comment on, and not a debate I intend to get drawn into. I can, however, as one of the affected people, legitimately express my concerns that this breach has exposed me (and, as it turns out, my family) to risk and express my displeasure about that fact and, in particular, the fact that CX took seven months to tell me about it.

    You infer that you are aware of systems collecting similar information that you know with some personal confidence to be superior and more robust.

    I was pretty surprised to read that, cwoodward, so I went back through my posts to check – and what you say is simply untrue. I never said any such thing. Quite the contrary, in fact – I said in an earlier post “I think we all have to accept that the modern world and its payment systems involve a degree of risk, and we can only seek to control it up to a point … any online transaction requires entry of payment information. At that point you have to have a certain amount of trust in the systems of your card company AND the merchant. In this case, CX, as the merchant, have badly let down their customers.” I think this shows that I accept that systems are not invulnerable. My response to CX letting me down is not just about the breach but about the fact that CX clearly made a decision not to tell people who were affected by the breach for a considerable period of time. Let me point you to CX’s privacy policy, cwoodward. Let me refer you to the first sentence of paragraph 1: “At Cathay Pacific, we are committed to protecting your Personal Data and your privacy”. Let me point out to you when that policy was last updated – you can see it written at the bottom of the page. 25 May 2018. AFTER the breach. WEEKS after the breach. That, to me, smacks of a lack of integrity – in fact, I would go so far as to say it was a lie. I would be genuinely interested to hear your own view.

    You suggest that I have been needlessly aggressive. That was not my intention, but my views are clearly so strongly opposed to your own that I felt the need to express them in strong terms. Your assertion that I and other posters were engaging in a “considerable over reaction” was, perhaps, not the best way to start a civilised debate. However, I hope you will continue to express your views here, including on what I have written above.


    cwoodward
    Participant

    Ian

    The below illustrates ether your misunderstanding of the meaning of ‘sanguine’ and/or your misreading of my original post.

    What I continue to struggle with is the idea that I and 9.4 million other people should be completely sanguine about the fact that CX has allowed just that to happen to our own information

    ‘sanguine-optimistic or positive, especially in an apparently bad or difficult situation’.

    My response was definitely not one that could not be properly interpreted as a positive one to the breach and neither did it express an optimistic view merely a more proportionate one than the excessively negative and mildly hysterical views expressed in your post

    C You infer that you are aware of systems collecting similar information that you know with some personal confidence to be superior and more robust.

    I standby the assertion above as in my view that this was exactly what your original post implied.

    You suggest that I have been needlessly aggressive. That was not my intention, but my views are clearly so strongly opposed to your own that I felt the need to express them in strong terms.

    Are you offering the above as an excuse? Your intention or not your post was an extravagantly aggressive one that overreacted to my own that expressed my view in a more
    balanced and proportionate way.

    Ian, I am rather enjoying this exchange but I just do not have the time to continue with it over the next couple of days by which time it will cease to have much relevance (if in fact it ever had a lot) thus I have to say just that I respect your views but consider them to be excessive both in the breaches predicted consequence and in the the excessively aggressive way that you chose to express them.


    IanFromHKG
    Participant

    The below illustrates ether your misunderstanding of the meaning of ‘sanguine’ and/or your misreading of my original post.

    Fair cop – “sanguine” was the wrong word to use. Perhaps “resigned” or “indifferent” would be more appropriate

    C You infer that you are aware of systems collecting similar information that you know with some personal confidence to be superior and more robust.

    I standby the assertion above as in my view that this was exactly what your original post implied.

    I wish to make it very explicitly clear that I did not intend to make any such assertion.

    Your intention or not your post was an extravagantly aggressive one that overreacted to my own that expressed my view in a more balanced and proportionate way.

    That may be your belief, but given that you have now described my posts as “extravagantly aggressive”, “excessively aggressive” and even “mildly hysterical”, and said that I “overreacted” and that my views are “excessive” and “excessively negative”, I cannot see how you can describe the way you have expressed yourself here as “more balanced and proportionate”. On this and other matters we must clearly continue to disagree. Given the increasingly hostile and insulting tone of your own emails, I have no intention of being drawn further into a debate with you.


    Tom Otley
    Keymaster

    A further report in the South China Morning Post this morning (front page)

    Cathay Pacific cyberattack far worse than thought after airline admits facing intense hack for more than three months

    A major cyberattack that saw the data of 9.4 million Cathay Pacific Airways customers stolen by hackers was far worse than the airline has previously admitted.

    Rather than the “suspicious activity” it said it had discovered on its billion-dollar computer network in March, the carrier revealed on Monday that it had been the target of an intense attack lasting more than three months.

    Such was the intensity of the attack, Cathay said internal and external IT security experts had to focus solely on containment and prevention throughout March, April and May.


    cwoodward
    Participant

    Unfortunately the once venerable SCMP formally the Hong Kong newspaper of record has now become little more than the mouthpiece of Jack Ma and his China based Alibaba Group.
    For the past many months the SCMP has waged an unrelenting campaign to undermine the airline using rumour, half truths and fabrication to achieve their aim.
    It is well know that Ma is ideologically opposed to Cathay Pacific being the de-facto HK flag carrier and has a deep seated dislike for John Swire and Sons and the British Swire Group (the owners of Cathay Pacific). This situation does not suit Ma’s interests and relationships with mainland governments airlines and corporations at all.
    In my view anything published by the SCMP regarding Cathay Pacific cannot be relied on for accuracy and should not be taken at face value.
    The below offers perhaps a more accurate and enlightened view.

    https://www.theregister.co.uk/2018/11/12/cathay_pacific_hack_data_siege_3_months/

    1 user thanked author for this post.

    stevescoots
    Participant

    Unfortunately the once venerable SCMP formally the Hong Kong newspaper of record has now become little more than the mouthpiece of Jack Ma and his China based Alibaba Group.

    For the past many months the SCMP has waged an unrelenting campaign to undermine the airline using rumour, half truths and fabrication to achieve their aim.

    It is well know that Ma is ideologically opposed to Cathay Pacific being the de-facto HK flag carrier and has a deep seated dislike for John Swire and Sons and the British Swire Group (the owners of Cathay Pacific). This situation does not suit Ma’s interests and relationships with mainland governments airlines and corporations at all.

    In my view anything published by the SCMP regarding Cathay Pacific cannot be relied on for accuracy and should not be taken at face value.

    The below offers perhaps a more accurate and enlightened view.

    https://www.theregister.co.uk/2018/11/12/cathay_pacific_hack_data_siege_3_months/

    I agree with you on that, As i said before it does not take much imagination to consider this a China state sponsored attack to devalue the airline ready for CZ to swoop in. After all in China national pride the local Guangdong carrier, China Southern, should be the flag carrier for a Chinese HK, not some Colonial hangover

    1 user thanked author for this post.
Viewing 15 posts - 16 through 30 (of 47 total)
You must be logged in to reply to this topic.
Business Traveller July / August 2019 edition
Business Traveller July / August 2019 edition
Be up-to-date
Magazine Subscription
To see our latest subscription offers for Business Traveller editions worldwide, click on the Subscribe & Save link below
Polls