PH passports, credit cards compromised after Cathay Pacific’s data breach
The National Privacy Commission (NPC) has ordered Cathay Pacific Airways to explain the data breach on the airline’s system that affected personal data of over 100,000 Filipinos, more than 35,000 Philippine passport numbers, and over 100 credit card numbers.
In an order issued October 29, 2018 but only released to media on November 10, the NPC required the Hong Kong-based airline to explain within 10 days to convince the Commission why it should not be held criminally liable for presumed failure to timely notify the Commission about the occurrence of a data breach.
The data privacy watchdog also ordered Cathay to submit within five days further information on the mea-
sures taken to address the breach.
“For a full appreciation of the circumstances surrounding this report, and the data breach that it describes, it is necessary to require Cathay to explain, in writing, why Cathay and its responsible officers should not be prosecuted under the provisions of the Data Privacy Act of 2012 for Concealment of Security Breaches Involving Sensitive Personal Information,” the order stated.
“We take personal breaches seriously. Under the Data Privacy Act, non-disclosure of a breach is a serious offense that is why we remind data controllers of their obligation to properly notify the NPC whenever breaches occur. We expect everyone to abide by this provision... We have established strong ties with other jurisdictions when it comes to exchange of information and enforcement. We will use this to the hilt in matters like this,” said NPC Commissioner and Chairman Raymund E. Liboro.
Cathay noted the suspicious activity on its network on March 13, 2018. It determined that the illegally exposed data vary from passenger name, nationality, date of birth, phone number, e-mail, credit card number, address, passport number, identity card number, frequent flyer membership number, customer service remarks, and historical travel information.
But Cathay only “very recently” determined how many Filipinos were affected through Philippine passport details, or where other personal data in Cathay’s possession contained a Philippine address or telephone number.
From their analysis, some 102,209 Filipino travelers had their data compromised. Roughly 35,700 passport numbers and 144 credit card numbers from the Philippines were exposed.
Failure to notify
Under Philippine law, notification to NPC and to the data subjects of the existence of a data breach is mandatory within 72 hours from discovery. The law also provides that when there is a failure to notify this Commission, or when the Commission determines that there is an unreasonable delay to the notification, there is a presumption that there is a failure to notify.
When such a failure or delay exists, the Commission may investigate further the circumstances surrounding the data breach, including the failure to report or any undue delay.
“The failure to report such a data breach in a timely manner may require this Commission to fulfill its mandate to ensure compliance of personal information controllers with the provisions of the Data Privacy Act,” the order stated.
Philippine law imposes criminal liability on persons who, after having knowledge of a security breach and the obligation to notify the Commission intentionally or by omission conceals the fact of such security breach.
“On the surface, there appears to be a failure on the part of Cathay to report to this Commission what it knew about the data breach at the time it confirmed unauthorized access, and what the affected data fields are,” the order added.
NPC also noted that Cathay’s term, “very recently,” does not establish any timeline through which we may determine the timeliness of the report dated 25 October 2018. Personal information controllers also need to explain the remedial measures taken following a data breach in a mandatory report. On the face of the report, Cathay’s measures that have “enhanced the security and monitoring with its environment” and “working with [Mandiant], as well as other cybersecurity experts, to implement measures to prevent future unauthorized access to its systems and databases, as well as further enhance its IT security generally” does not meet required specificity required of notifications to the Commission.
For this matter, the Commission may require, as it does, further information from the personal information controller.
9.4 M passengers affected
Hong Kong's privacy commissioner is also launching a compliance investigation into Cathay’s data breach involving 9.4 million passengers, saying the carrier may have violated privacy rules.
The airline has faced criticism for the seven-month delay in its October revelation of the breach in the data, which it said had been accessed without authorization, following suspicious activity in its network in March.
"There are reasonable grounds to believe there may be a contravention of a requirement under the law," Hong Kong's Privacy Commissioner for Personal Data, Stephen Wong, said in a statement.
"The compliance investigation is going to examine in detail, amongst others, the security measures taken by Cathay Pacific to safeguard its customers' personal data and the airline's data retention policy and practice," he added.
It will also cover Cathay's fully owned subsidiary, Hong Kong Dragon Airlines Ltd, or Dragon Air, some of whose passengers were affected by the breach. (With a report from Reuters)