Cathay Pacific is Beginning to Fess Up and it Likely Won’t Help Their GDPR Fine

November 12, 2018 CyberCecurity Leave a comment

As a reminder, Cathay Pacific Airlines recently admitted it was hacked and lost data on over 9 million passengers. Information taken includes names, addresses, passport information, birth dates and other information

They took a lot of heat for waiting 6 months to tell anyone about it (remember that GDPR requires you to tell the authorities within 72 hours).

Now they are reporting on the breach to Hong Kong’s Legco (their version of Parliament) and they admitted that they knew they were under attack in March, April and May AND it continued after that. So now, instead of waiting 6 months to fess up, it is coming out that they waited 9 months,

They also admitted that they really didn’t know what was taken and they didn’t know if the data taken would be usable to a hacker as it was pieces and parts of databases.

Finally, they said after all that, they waited some more to make sure that the information that they were telling people was precisely accurate.

Now they have set up a dedicated website at https://infosecurity.cathaypacific.com/en_HK.html for people who think their data has gone “walkies”.

So what lessons can you take away from their experience?

First of all, waiting 6 months to tell people their information has gone walkies is not going to make you a lot of friends with authorities inside or outside the United States. 9 months isn’t any better.

One might suggest that if they were fighting the bad guys for three months, they probably either didn’t have the right resources or sufficient resources on the problem.

It also means that they likely did not have an adequate incident response program.

Their business continuity program was also lacking.

None of these facts will win them brownie points with regulators, so you should review your programs and make sure that you could effectively respond to an attack.

Their next complaint was that they didn’t know what was taken. Why? Inadequate logs. You need to make sure that you are logging what you should be in order to respond to an attack.

They said that they wanted to make sure that they could tell people exactly what happened. While that is a nice theory, if you can’t do that within the legally required time, that bit of spin will cost you big time.

Clearly there is a lot that they could have done better.

While the authorities in Europe may fine them for this transgression, in China they have somewhat “harsher” penalties. Glad I am not in China.

Information for this post came from The Register.