NPC orders int’l airline to address data breach issue
Personal data of over 100,000 Filipinos have been compromised in a breach on the system of an international airline earlier this year, according to the National Privacy Commission (NPC).
$ UHSRUW VXEPLWWHG E\ &DWKD\ 3DFLÀF to the commission revealed that data of 102,209 Filipinos were compromised in the breach that happened in March.
Among those exposed were around 35,700 Philippine passport numbers, as well as credit card details of 144 Filipino users.
In an order dated Oct. 29, NPC complaints and investigations division chief Francis Euston Acero directed Cathay Pacific officials to explain within 10 days why it failed to timely notify the FRPPLVVLRQ RI WKH EUHDFK WKDW DͿHFWHG Filipinos.
In addition, the NPC has ordered CaWKD\ 3DFLÀF WR VXEPLW ZLWKLQ ÀYH GD\V further information on measures being taken to address the breach.
He noted in the four-page order that the incident falls under the Philippine Data Privacy Act of 2012, which requires data controllers to report an incident of data breach within 72 hours after its discovery.
“For a full appreciation of the circumstances surrounding this report, and the data breach that it describes, it is necessary to require Cathay to explain, in writing, why Cathay and its responsible RFHUV VKRXOG QRW EH SURVHFXWHG XQGHU the provisions of the Data Privacy Act of 2012 for Concealment of Security Breaches Involving Sensitive Personal Information,” the NPC said.
The NPC said the airline noticed suspicious activities on its system on March 13 DQG RQ 0D\ &DWKD\ 3DFLÀF·V IRUHQVLFV investigators confirmed there was unauthorized access to some information ZLWKLQ WKH DLUOLQH DͿHFWLQJ WKH SHUVRQDO GDWD RI SDVVHQJHUV RI ERWK &DWKD\ 3DFLÀF and Hong Kong Dragon Airlines Ltd., as ZHOO DV RI PHPEHUV RI WKH IUHTXHQW Á\HU program Asia Miles.
Among the exposed information were passenger name, nationality, date of birth, phone number, e-mail, credit card number, address, passport number, identity FDUG QXPEHU IUHTXHQW Á\HU PHPEHUVKLS number, customer service remarks and historical travel information.
Cathay, through its representative ODZ\HU 3HULFOHV &DVXHOD RQO\ QRWLÀHG WKH NPC of the incident last Oct. 25 after it determined “very recently” the nationalities RI WKRVH DͿHFWHG
“On the surface, there appears to be a failure on the part of Cathay to report to this commission what it knew about the GDWD EUHDFK DW WKH WLPH LW FRQÀUPHG XQDXWKRUL]HG DFFHVV DQG ZKDW WKH DͿHFWHG GDWD ÀHOGV DUH µ WKH RUGHU UHDG
´&DWKD\·V WHUP ¶YHU\ UHFHQWO\· GRHV not establish any timeline through which we may determine the timeliness of the report dated 25 October 2018,” it added.
The NPC said the failure to report such a data breach in a timely manner may reTXLUH WKH FRPPLVVLRQ WR IXOÀOO LWV PDQGDWH to ensure compliance of personal information controllers with the provisions of the Data Privacy Act.
“Philippine law imposes criminal liability on persons who, after having knowledge of a security breach and of the obligation to notify the commission under Philippine law, intentionally or by commission conceals the fact of such security breach,” the commission said.
When a failure to notify or delay happens, the NPC may investigate further on circumstances surrounding the data breach.