There are more horrible things than meets the eye with the October 2018 data breach of Cathay Pacific Airways, the airline confessed after a month of deeper investigation. The airline has finally revealed that the attack was not a one-time, big-time event, but rather a quarter-long affair. The Hongkong lawmakers have successfully forced the airline to disclose more information about the busy tasks their IT team is doing just to quarantine the system, to prevent more records from being exposed to unknown parties.
Seems like the airline has a misplaced level of urgency, as their investment for cybersecurity defense to the tune of $127 million US Dollars failed to secure their systems leading to the October 2018 hack. The Hongkong authorities realized that the measly amount was just a drop in the bucket for Cathay Pacific which earned an estimated $292 Hongkong Dollars for the same period. The real score in the story was the hack already started since March 2018, and Cathay Pacific lied to the public, for saying that the hack only started on October 2018.
“During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention. The investigation was complex, longer than what we would have wished, and we would have liked to have been able to provide this information sooner,” explained a Cathay Pacific representative.
As an international airline, Cathay Pacific is seen to also lawfully responsible to disclose the hacking incident with the European Commission, under GDPR. It is still unknown how much Cathay needs to settle with EU when it comes to the penalty they need to pay, due to the non-disclosure of the data breach beyond 24 hours.
“The two big issues were: which passenger data had been accessed or exfiltrated and, since the affected databases were only partially assessed, whether the data in question could be reconstructed outside Cathay’s IT systems in a readable format useable to the attacker(s). Conclusions on these issues proved difficult and time-consuming and were only reached in mid-August. Throughout our investigation into this incident, our foremost objective and primary motivation has been to support our affected passengers by providing accurate and meaningful information,” added Cathay Pacific representative.
Cathay Pacific already set up an official microsite, which they discussed to the public and their customers the situation. Meanwhile, as the Hongkong lawmakers continue to press the airline for “valid explanation” on why they lied first time when the hack started, more questions than answers are produced. “The two big issues were: which passenger data had been accessed or exfiltrated and, since the affected databases were only partially accessed, whether the data in question could be reconstructed outside Cathay’s IT systems in a readable format useable to the attacker(s). Conclusions on these issues proved difficult and time-consuming and were only reached in mid-August. (We) wanted to be able to give a single, accurate and meaningful notification to each affected passenger, rather than to provide an overly broad and non-specific notice,” concluded Cathay Pacific.
