Cathay Pacific faces probe over breach

‘REASONABLE GROUNDS’::The privacy commissioner could call witnesses and enter premises in the investigation, which would check if the carrier breached privacy law

Reuters, HONG KONG

Wed, Nov 07, 2018 - Page 10

Hong Kong’s privacy commissioner is to launch a compliance investigation into Cathay Pacific Airways Ltd (國泰航空) over a data breach involving 9.4 million passengers, saying that the carrier might have breached privacy rules.

The airline has faced criticism for the seven-month delay in its revelation last month of the breach in the data, which it said had been accessed without authorization, following suspicious activity in its network in March.

“There are reasonable grounds to believe there may be a contravention of a requirement under the law,” Hong Kong Privacy Commissioner for Personal Data Stephen Wong (黃繼兒) said in a statement.

“The compliance investigation is going to examine in detail, amongst others, the security measures taken by Cathay Pacific to safeguard its customers’ personal data and the airline’s data retention policy and practice,” he added.

It would also cover Cathay’s fully owned subsidiary, Hong Kong Dragon Airlines Ltd (港龍航空), or Dragon Air, some of whose passengers were affected by the breach.

A Cathay spokeswoman said in an e-mail to reporters that the airline was studying the statement and would “continue to cooperate fully with the authorities.”

The privacy watchdog said it had received 89 complaints related to the data breach.

In addition to 860,000 passport numbers and about 245,000 Hong Kong identity card numbers, the hackers accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value, Cathay said.

It was not immediately clear who was behind the personal data breach or what the information might be used for, but Cathay said that there had been no evidence that any personal information had been misused.

Under Hong Kong law, the privacy commissioner can call witnesses, enter premises and hold public hearings in the investigation, which would check if Cathay contravened any requirement of the Personal Data (Privacy) Ordinance.

The controversy has spurred calls from politicians and privacy advocates for Hong Kong to revamp its laws to make the reporting of such potential data breaches mandatory.

Cathay’s share price initially plunged to its lowest since June 2009 after the scandal, but has rebounded and recovered all its losses.

The data breach came amid an airline turnaround to cut costs and boost revenue after back-to-back years of losses, so as to better compete with rivals from the Middle East, China and budget airlines.

Cathay Pacific in August posted a narrower half-year loss on a strong rise in airfares and cargo rates, and flagged expectations for a better second half, despite economic headwinds from mounting US-China trade tension.