At the end of October, Cathay Pacific Airways Limited, the flag carrier of Hong Kong, announced that had suffered a major data breach affecting up to 9.4 million passengers.
Exposed data includes passport numbers, identity card numbers, email addresses, and credit card details were accessed, information exposed varies for each affected passenger.
The IT staff at Cathay discovered an unauthorized access of systems containing the passenger data of up 9.4 million people. Hackers also accessed 403 expired credit card numbers and twenty-seven credit card numbers with no CVV were accessed.
Cathay Pacific notified the incident to local police and legislators, it also set up a website for customers want to know if their personal data may have been exposed.
Now Cathay Pacific has admitted that it was under attack for three months and it took six months to disclose the data breach.
In the official statement released by the airline, the company declared it had detected “suspicious activity” earlier March 2018.
A written submission by Cathay Pacific Airways Limited to Hong Kong’s Legco reveals the company confirmed to be aware that in March it was under a full-scale attack on its servers. The attacks continued during the investigation, for three months the company was under siege.
“During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention. “reads the written submission.
“Remediation activities began as part of this effort and continued throughout. Even as the number of successful attacks diminished, we remained concerned that new attacks could be mounted.”
Of course, experts have challenged the company to have kept the security breach hidden for six long months exposing its customers to further risks depending on the nature of the data exposed.
“During the second phase[confirming on which data had been accessed], the two big issues were: which passenger data had been accessed or exfiltrated and, since the affected databases were only partially accessed, whether the data in question could be reconstructed outside Cathay’s IT systems in a readable format useable to the attacker(s).” continues the submission.
“Conclusions on these issues proved difficult and time-consuming and were only reached in mid-August.”
The company explained that it spent a lot of time to reconstruct for every single user which data was accessed.
(Security Affairs – Cathay Pacific, data breach)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.