Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Cathay Apologizes Over Data Breach but Denies Cover-up

The top two executives at Hong Kong carrier Cathay Pacific on Wednesday apologized for the firm’s handling of the world’s biggest airline hack that saw millions of customers’ data breached but denied trying to cover it up.

The top two executives at Hong Kong carrier Cathay Pacific on Wednesday apologized for the firm’s handling of the world’s biggest airline hack that saw millions of customers’ data breached but denied trying to cover it up.

The CEO and chairman also said the crisis “was one of the most serious” in the embattled firm’s history and would act differently in a similar situation in future.

The pair were summoned to the city’s legislative council to explain to lawmakers why it had taken five months to admit it had been hacked and the data of 9.4 million customers compromised, including passport numbers and credit card details.

Lawmakers slammed the delay as a “blatant attempt” to cover up the incident and thereby deprive customers of months of opportunities to take steps to safeguard their personal data.

However, chairman John Slosar said: “I’d like to make it absolutely clear that there was never any attempt to cover anything up.”

He added: “I see it as one of the most serious crises that our airline has ever faced.”

Earlier he had read a statement to LegCo in which he said: “I must personally apologise directly to you and the people of Hong Kong.”

It emerged this week that the breach was the result of a sustained cyber attack for three months.

Advertisement. Scroll to continue reading.

The airline had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May but did not make it public until October 24.

CEO Rupert Hogg explained the company needed time to establish the nature of attacks, contain the problem and identify stolen data, but said it “did regret the length of time” it took.

“We’ve learnt a lot of lessons from trying to do what we believe was right, which was to get accurate information about our customers, make sure that we knew what information pertained to them. We would do it a different way tomorrow indeed,” Hogg said.

When pressed by lawmaker Kwok Ka-ki on whether Cathay would report to its customers immediately if there was another leak, Slosar said: “We will report instantly, yes.”

Slosar also told lawmakers that the data breach issue was of great public interest but the information was not material or price sensitive.

The airline has contacted the customers affected.

The firm is already battling to stem major losses as it comes under pressure from lower-cost Chinese carriers and Middle East rivals.

It booked its first back-to-back annual loss in its seven-decade history in March and has previously pledged to cut 600 staff including a quarter of its management as part of its biggest overhaul in years.

Hong Kong-listed shares in the firm ended up 2.25 percent at HK$10.90.

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.