Type at least 1 character to search
Back to top

Maltem Meet-up « Cyber Security : The importance of security controls »

The Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) revealed it received 129 data breach reports in 2018, which is up 22 per cent from the year before, and 80 per cent higher than in 2014. It shows that companies are never 100% secure and continuous and regular reporting, review and testing of the infrastructure is necessary.

Our Experts from Maltem Hong Kong analyze two data breach : Cathay Pacific in 2018 and Marriott in 2020 and will talk on how to react in case of potential security breach.

4 juin 2020 11:00 AM Paris by Jordan Touati and Maxence Guiheux

Cathay Pacific (First Breach)


What happened ?

Back to October 2018, Cathay Pacific revealed that they have suffered a major data breach seven months earlier where private information of 9.4 million people were accessed by hackers. Customers were part of their Asia Miles loyalty programme, Marco Polo frequent flier scheme as well as non-member passengers.

At that time they were facing one of the worst crisis in history with the largest aviation’s data breach as they were questionned by 27 regulators from 15 juridictions.

After investigation, it has been discovered that a pair of groups inserted a malware (keylogger) to a reporting system back in October 2014 that gathered credentials and allowed them to move laterally through the network and gather other credentials before ceasing on March 2018.

The second group exploited a decade old vulnerabity on an internet facing server that allowed them to bypass authentication and access administration tools residing on the server. Cathay mentioned they were not able to patch the system due to an application being incompatible with an Airbus fleet manual application. However, the investigation by ICO (Information Commissioner’s Office) also mentioned that their annual vulnerability scanning exercise didn’t detect the vulnerability due to signature not being released by pointing to the relevant signatures appearing in 2013.

The first detection of suspicious activity was on March 2018 with brute force attack that led 500 staff having their accounts locked. After internal investigation that discovered the October 2014 access, the company detected other activities throughout April and May, up to August 2018. Cathay disclosed the breach only in October 2018 as Cathay claimed they wanted to do additional investigation to be sure of which data were leaked.

Some of the information :

  • Flight information accessed (61%)
  • Email address (53%)
  • Passports number (9%)
  • Date of birth (8%)
  • Various identity card number (6%) : 430 credit cards taken but 403 were expired

Impact ?

For the client :

Names, birthdays, travel itineraries and passport details could be used to reset passwords or obtain private financial information.

Those information could also been reused for social engineering attacks. For example, phishing attacks where attacker are sending fake email to their target in order to gather confidential information.

At that time, Cathay has offered users an option to enroll to IdentityWorks, a personal information monitoring service, free of charge for 1 year. They also disabled all passwords of members to force a reset on the next login.

For the company :

Of course the main impact is the trust lost and reputation damage.

The carrier was found in breach of new European Union data privacy laws, it could face a fine of up to 4 per cent of annual global revenue.

The privacy commissioner had ordered a series of enforcement actions to make sure they are free of malware and vulnerabilities, implement proper multifactor authentication, scan for vulnerabilities more regularly, regular independant security tests completed and create a clear data retention policy for the next 6 months.

When the report was published in June 2019, the commissioner has received 143 complaints and 176 inquiries from the public in relation to the incident.

Now, coming to the fines. As you may know the GDPR in Europe (General Data Protection Regulation) has been applied in May 2018. It says that companies violating the privacy law face a maximum of fine of 17.5 million pounds, or 4% of global turnover, whichever is higher. In this context, it has been announced in March this year that Cathay has been fined 500.000 pounds where more than 110.000 UK customers were impacted. Cathay has been lucky as they have been treated under the previous UK data protection legislation (UK Data Protection Act) due to the timing, else they would have faced a substantially larger fine with the GDPR. For instance, British Airways that leaked data on 500.000 customers on June 2018 who is facing a record of more than 183 million pounds penalty, totalling 1.5% of its total revenues for 2018. Days later, Marriott was also informed of the ICO’s intention to fine it 99 millions pounds for the breach disclosed in November 2018.

What could have been done to avoid it ?

The HK Privacy Commissioner for Personal Data criticised Cathay allowing administration tools to be accessed from the internet.

The ICO also said Cathay should have had an inventory of personnal data to cover all its system (Out of 120 systems containing personal data, 4 were hit in the pair of attacks)

And Cathay was also called out for leaving encrypted databases backups in production servers during migration.

Cathay committed to improvements in internal reporting, board governance and risk management.

Marriott (Second Breach)


What happened ?

At the end of February 2020, guest information of 5.2 million guests have been accessed using the login credentials of 2 employees at a franchise property.

Impact ?

Roughly the same as Cathay pacific

What could have been done to avoid it ?

Good hygiene of privileged accounts. For example, the use of PAM solution like CyberArk where privileged access are centrally managed with security features  such as automatic password rotation, user monitoring account activity, integration with SIEM application, accountability, 2FA…

IAM solution like Sailpoint : Provisioning, deprovisioning process for accounts as well as modification

And as employees are often the weakest link in the organization, a security awareness program is also a good way to educate them on the best practices and train them on how to react in case of potential security breach (phishing attack, session lockout, data leakage).

Conclusion / Consequences

The Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) revealed it received 129 data breach reports in 2018, which is up 22 per cent from the year before, and 80 per cent higher than in 2014.

Currently, companies involved in data breaches are under no obligation to report the incident. Beginning of the year, it has been said that a new law would give companies 5 days to report a breach and the watchdog would have power to fine offenders with proportion of global income, but only a failure to comply with directives would attract a fine of 50.000 HKD and 2 years in prison.

Despite the 1 billion HKD budget invested by Cathay on IT infrastructure and security in the past 3 years before the breach, it shows that companiesare never 100% secure and continuous and regular reporting, review and testing of the infrastructure is necessary.

However, with the financial loss for companies due to data breaches, they cannot afford to cut any budget on security.