The following is the media statement from the Privacy Commissioner’s Office following the conclusion of their investigation into the 2018 Cathay Pacific Airways breach. You can download their investigative report from their site here (pdf).
The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Mr Stephen Kai-yi WONG today published an investigation report on the data breach incident of unauthorised access to personal data of approximately 9.4 million passengers of Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited (collectively referred to as Cathay). The Privacy Commissioner found Cathay contravened the data protection principles under the Personal Data (Privacy) Ordinance (Ordinance) relating to personal data security and retention. The Privacy Commissioner served an Enforcement Notice today to direct Cathay to remedy and prevent any recurrence of the contraventions.
Major Findings
Data Security
Cathay did not take all reasonably practicable steps to protect the affected passengers’ personal data against unauthorised access in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening Data Protection Principle 4(1) of Schedule 1 to the Ordinance:
- Failure to identify the commonly known exploitable vulnerability and the exploitation, and failure to take reasonably practicable steps to accord due deployment of the internet facing server;
- Vulnerability scanning exercise for the Internet facing server at a yearly interval being too lax in the context of effectively protecting its information systems against evolving digital threats;
- Failure to take reasonably practicable steps not to expose the administrator console port of the Internet facing server to the Internet, as a result of which a gateway for attackers was opened;
- Failure to apply effective multi-factor authentication to all remote access users for accessing its IT system involving personal data;
- Producing unencrypted database backup files to facilitate migration of data centre without adopting effective security controls, thus exposing the personal data of the affected passengers to attackers;
- Failure to have an effective personal data inventory to cover all systems containing personal data; and
- Risk alertness being low and failure to take reasonably practicable steps to reduce the risk of malware infections and intrusions to its IT system after the earlier security incident in 2017.
Retention
There being no justifiable reasons, Cathay did not take all reasonably practicable steps to ensure that the Hong Kong Identity Card numbers of the affected passengers were not kept longer than was necessary for the fulfilment of the defunct verification purpose for which the data was used, contravening Data Protection Principle 2(2) of Schedule 1 to the Ordinance.
Data breach notification
There being no statutory requirements under the Ordinance for a data breach notification, whether to the Privacy Commissioner or the affected passengers, and whether within a particular period of time or otherwise, the Privacy Commissioner found no contravention of the Ordinance in this connection.
Cathay could have notified the affected passengers of the suspicious activity once detected back in March 2018 and advised them of the appropriate steps to take earlier to meet their legitimate expectation.
Enforcement Notice
The Privacy Commissioner exercised his power pursuant to section 50(1) of the Ordinance and served an Enforcement Notice to direct Cathay to:
- Engage an independent data security expert to overhaul the systems containing personal data;
- Implement effective multi-factor authentication to all remote users for accessing its IT system involving personal data and undertake to conduct regular review of remote access privileges;
- Conduct effective vulnerability scans at server and application levels;
- Engage an independent data security expert to conduct reviews/tests of the security of Cathay’s network;
- Devise a clear data retention policy to specify the retention period(s) of passengers’ data, which is no longer than is necessary for the fulfilment of the purpose, and undertake to implement effective measures to ensure effective execution; and
- Completely obliterate all unnecessary HKID Card numbers collected from Asia Miles membership programme from all systems.
Data Governance
Mr Stephen Kai-yi WONG, the Privacy Commissioner, added:
“During the investigation, I was mindful of the accuracy and sensitivity, and exercised due care and diligence to ensure that I had the accurate facts on which my investigation and findings were based and that disclosure of these facts could not be potentially exploited or used to compromise Cathay’s information systems security, flight operation and business secrets. It is quite clear that contraventions aside, Cathay adopted a lax attitude towards data governance, which fell short of the expectation of its affected passengers and the regulator.”