Security Advisory: Cathay Pacific and Cathay Dragon Passenger Data Breach
According to Cathay Pacific announcement on Hong Kong Stock Exchange, they have discovered unauthorized access to their 9.4 million passenger data including its subsidiary Cathay Dragon in early March 2018. The types of personal data accessed were the names of passengers, their nationalities, dates of birth, telephone numbers, email addresses, physical addresses, passport numbers, identity card numbers, frequent flyer programme membership numbers, customer service remarks and historical travel information. Around 860,000 passport numbers and around 245,000 HKID numbers were leaked and accessed. Besides, 403 expired credit card numbers and 27 credit card numbers with no CVV were also leaked and accessed. The company stated that they have hired a cyber security firm and also reported to the Hong Kong Police for investigation.
Recommendations for Enterprises and Organizations
HKCERT urges organizations to improve and enhance their data protection and security to prevent and detect any unauthorized access and data breach. Here are the recommendations:
- Have a data classification policy to classify confidential and sensitive information, and set up proper control such as encryption and access right on these information.
- Configure network separation for enterprise internal and Internet facing networks. Also put database servers out of direct contact from Internet. For larger networks, consider more granular segmentation of network according to sensitivity of services.
- Implement next-generation firewall for application control.
- Perform regular vulnerability scanning on website or web application (e.g. eCommerce, online payment etc.) to identify any weak configuration or vulnerabilities. For sensitive services, consider conducting penetration tests.
- Apply patch regularly and fix any configuration issues. Please note that many data breaches may not involve attacks but can be due to improper or weak configuration such as too much administrator access right or no access control to data storage.
- Secure and monitor privileged access, particularly on Internet accessible accounts such as web or cloud hosting. Implement multi-factor authentication on these accounts.
- Manage the security of supply chain partners (suppliers and contractors) in addition to your own enterprise infrastructure. Consider scenario when partners’ network or software development cycle got compromised.
- Protect data and prevent data leakage. Protect sensitive data with encryption and masking. Deploy data loss prevention (DLP) solution in your infrastructure based on risk assessment and cost evaluation. DLP solution can help detect data exfiltration.
- Monitor any suspicious network traffic regularly including unexpected outgoing traffic such as huge data exfiltration volume and suspicious DNS query. Gather any events or alerts from servers and endpoints with security information and event management (SIEM) facility to set up alerts for any abnormal events or potential security breach.
- Continuously conduct user awareness programme with relevant case sharing. Real life drill exercise such as phishing drill can pinpoint weaknesses of human aspect.
- Large enterprises can build up cyber threat intelligence capability to complement the detection mechanisms.
With much attention from mass media on cyber security topics, and new policies and regulations from various authorities, data breach may impose not only reputation loss but also actual financial loss. For example, if your organization has exposure in EU business, violating the General Data Protection Regulation (GDPR) may cost you 20 million euros or 4% of your worldwide revenue.
If the data breach happened and the incident involves personal data, organisations should report to the Privacy Commissioner for Personal Data (PCPD) and notify the affected customers as soon as possible.
Advice to End Users
For end users, you may consider to take the following precaution measures:
- Cathay Pacific has stated that they will contact the affected customers. Please take note of the information updated by the company. They have also set up a website for updating the information: https://infosecurity.cathaypacific.com/en_HK.html
- Be aware of scam and phishing messages making use of the name of Cathay Pacific and Cathay Dragon or your personal information.
- Phishing messages can be in the form of email, and also phone call.
- Cathay Pacific has announced that its email related to the data breach will only be sent from the sender address specified in its website. However, please note that sender address can also be spoofed.
- Also beware of phishing scam making use of your personal information. Even if the sender/caller can describe your personal information correctly, that may come from the leaked data. If in doubt, you are advised to contact the official email address or phone number of the company of the sender/caller.
- In general, do not click any link or open any attachment in suspicious email. Contact Cathay Pacific if you have doubts with the email.
- Cathay Pacific is offering an ID monitoring services to affected passengers.
- Subscription to this service is totally voluntary. The amount of personal information to be monitored is decided by you to control the risk.
- This ID monitoring services is offered by a third party service provider, neither Cathay Pacific nor Cathay Dragon. You need to submit your personal information to this service provider for its monitoring. If this service provider encountered any data breach, your personal information might be leaked again. You should consider the risk before using the service.
- If you decide to use this service, please ensure that you visit the legitimate link as provided by Cathay Pacific.
- If you are in doubt, please contact Cathay Pacific for more information.
- Review your credit card transactions if the card has been used for transaction with the company.
- Pay attention to SMS or phone call on notifying your unusual credit card transaction.
Cathay Pacific has set up a hotline for data breach inquiry: 800 933 287. For any inquiries on data protection or end user protection, you can contact HKCERT at [email protected] or (852) 8105 6060.