Philippine Daily Inquirer - - FRONT PAGE - STORY BY ROY STEPHEN C. CANIVEL

Reg­u­la­tors are ask­ing a Hong Kong air­line to ex­plain why it took them six months to re­port a data breach that com­pro­mised cus­tomers’ per­sonal in­for­ma­tion such as names, na­tion­al­i­ties, birth­dates, street and e-mail ad­dresses, and tele­phone, pass­port and credit card num­bers.

The per­sonal data of over 100,000 Filipinos, in­clud­ing pass­port and credit card in­for­ma­tion, were com­pro­mised in a data breach at Hong Kong flag car­rier Cathay Pa­cific Air­ways ear­lier this year.

The Na­tional Pri­vacy Com­mis­sion (NPC) said the data breach was first de­tected in March and con­firmed in May this year, but Cathay Pa­cific in­formed the NPC only on Oct. 25 that Filipinos were af­fected.

“Among those fields taken were pas­sen­ger name, na­tion­al­ity, date of birth, phone num­ber, e-mail, credit card num­ber, ad­dress, pass­port num­ber, iden­tity card num­ber, fre­quent flyer mem­ber­ship num­ber, cus­tomer ser­vice re­marks and his­tor­i­cal travel in­for­ma­tion,” the NPC said.

102,209 af­fected

The agency said a to­tal of 102,209 Filipinos were af­fected in the data breach and the in­for­ma­tion in 35,700 pass­ports and 144 credit cards were likely com­pro­mised.

The ex­tent of the data com­pro­mised varies for each per­son, but it was a breach that in­volved 9.4 mil­lion pas­sen­gers world­wide, Cathay Pa­cific said.

While the breach was found months ear­lier, the com­pany claimed that it only de­ter­mined “very re­cently” that Filipinos were also af­fected, the NPC said, cit­ing the Cathay Pa­cific re­port.

Ap­par­ent fail­ure to re­port

“On the sur­face, there ap­pears to be a fail­ure on the part of Cathay to re­port to this com­mis­sion what it knew about the data breach at the time it con­firmed unau­tho­rized ac­cess, and what the af­fected data fields are,” the NPC said in an or­der dated Oct. 29 but re­leased only on Satur­day.

Un­der the coun­try’s Data Pri­vacy Law, a com­pany or agency needs to no­tify the NPC within 72 hours Cathay Pa­cific learned or even rea­son­ably sus­pected that a data breach hap­pened.

Show cause or­der

This no­ti­fi­ca­tion is manda­tory if the data could be used to en­able data fraud, if it’s in the wrong hands, and if there’s a real se­ri­ous harm to the per­son, the NPC said.

More­over, manda­tory no­ti­fi­ca­tion ap­plies es­pe­cially if the data is about the fi­nan­cial or eco­nomic sit­u­a­tion of the per­son.

The NPC has or­dered the air­line to ex­plain why it should not be pros­e­cuted un­der the Data Pri­vacy Act, which im­poses crim­i­nal li­a­bil­ity for the fail­ure to no­tify.

The NPC asked the com­pany to ex­plain within 10 days why the air­line should not be pre­sumed to have failed to no­tify, which could make com­pany of­fi­cials crim­i­nally li­able.

The NPC also told the com­pany to sub­mit within five days fur­ther in­for­ma­tion on mea­sures that have been taken to ad­dress the breach.

Hong Kong also in­volved

Fran­cis Acero, NPC divi­sion chief for com­plaints and in­ves­ti­ga­tions, told the In­quirer the air­line would be given suf­fi­cient time to re­spond.

“[But] we don’t know when they re­ceived [the or­der]. We’ll let the process take its course,” he said.

Aside from the NPC, the Hong Kong govern­ment is also de­mand­ing more an­swers from the air­line.

The Hong Kong govern­ment ex­pressed on Oct. 26 its se­ri­ous con­cern about the in­ci­dent and or­dered the air­line to co­op­er­ate with its pri­vacy agency.

The air­line came un­der fire from the Of­fice of the Pri­vacy Com­mis­sioner for Per­sonal Data, for not dis­clos­ing the prob­lem un­til more than half a year later, ac­cord­ing to the South China Morn­ing Post.

The news­pa­pers quoted the air­line as say­ing that it would “co­op­er­ate fully with au­thor­i­ties” and that it was in the process of con­tact­ing af­fected pas­sen­gers.

Newspapers in English

Newspapers from Philippines

© PressReader. All rights reserved.