Cathay Pacific (First Breach)
What happened ?
Back to October 2018, Cathay Pacific revealed that they have suffered a major data breach seven months earlier where private information of 9.4 million people were accessed by hackers. Customers were part of their Asia Miles loyalty programme, Marco Polo frequent flier scheme as well as non-member passengers.
At that time they were facing one of the worst crisis in history with the largest aviation’s data breach as they were questionned by 27 regulators from 15 juridictions.
After investigation, it has been discovered that a pair of groups inserted a malware (keylogger) to a reporting system back in October 2014 that gathered credentials and allowed them to move laterally through the network and gather other credentials before ceasing on March 2018.
The second group exploited a decade old vulnerabity on an internet facing server that allowed them to bypass authentication and access administration tools residing on the server. Cathay mentioned they were not able to patch the system due to an application being incompatible with an Airbus fleet manual application. However, the investigation by ICO (Information Commissioner’s Office) also mentioned that their annual vulnerability scanning exercise didn’t detect the vulnerability due to signature not being released by pointing to the relevant signatures appearing in 2013.
The first detection of suspicious activity was on March 2018 with brute force attack that led 500 staff having their accounts locked. After internal investigation that discovered the October 2014 access, the company detected other activities throughout April and May, up to August 2018. Cathay disclosed the breach only in October 2018 as Cathay claimed they wanted to do additional investigation to be sure of which data were leaked.
Some of the information :
- Flight information accessed (61%)
- Email address (53%)
- Passports number (9%)
- Date of birth (8%)
- Various identity card number (6%) : 430 credit cards taken but 403 were expired
For the client :
Names, birthdays, travel itineraries and passport details could be used to reset passwords or obtain private financial information.
Those information could also been reused for social engineering attacks. For example, phishing attacks where attacker are sending fake email to their target in order to gather confidential information.
At that time, Cathay has offered users an option to enroll to IdentityWorks, a personal information monitoring service, free of charge for 1 year. They also disabled all passwords of members to force a reset on the next login.
For the company :
Of course the main impact is the trust lost and reputation damage.
The carrier was found in breach of new European Union data privacy laws, it could face a fine of up to 4 per cent of annual global revenue.
The privacy commissioner had ordered a series of enforcement actions to make sure they are free of malware and vulnerabilities, implement proper multifactor authentication, scan for vulnerabilities more regularly, regular independant security tests completed and create a clear data retention policy for the next 6 months.
When the report was published in June 2019, the commissioner has received 143 complaints and 176 inquiries from the public in relation to the incident.
Now, coming to the fines. As you may know the GDPR in Europe (General Data Protection Regulation) has been applied in May 2018. It says that companies violating the privacy law face a maximum of fine of 17.5 million pounds, or 4% of global turnover, whichever is higher. In this context, it has been announced in March this year that Cathay has been fined 500.000 pounds where more than 110.000 UK customers were impacted. Cathay has been lucky as they have been treated under the previous UK data protection legislation (UK Data Protection Act) due to the timing, else they would have faced a substantially larger fine with the GDPR. For instance, British Airways that leaked data on 500.000 customers on June 2018 who is facing a record of more than 183 million pounds penalty, totalling 1.5% of its total revenues for 2018. Days later, Marriott was also informed of the ICO’s intention to fine it 99 millions pounds for the breach disclosed in November 2018.
What could have been done to avoid it ?
The HK Privacy Commissioner for Personal Data criticised Cathay allowing administration tools to be accessed from the internet.
The ICO also said Cathay should have had an inventory of personnal data to cover all its system (Out of 120 systems containing personal data, 4 were hit in the pair of attacks)
And Cathay was also called out for leaving encrypted databases backups in production servers during migration.
Cathay committed to improvements in internal reporting, board governance and risk management.