*Disclaimer: I love Cathay Pacific. Cathay Pacific is the “flag” carrier of a city where I was born and call home. I am an avid fan of Cathay Pacific since I was young and flown with Cathay Pacific for the past 30 years. My family has been Gold/Diamond Marcopolo Club members for years.
I am angry and I am sad when I learned that Cathay Pacific had a data security event that led to more than 9 million passengers’ personal data being accessed without authorization.
Yes, I was one of them. I received an email saying that my personal data was “unauthorized accessed”.
I am angry not because my personal data got “hacked” but I am angry because Cathay Pacific knew about it in March and only decided to inform me in October.
I am sad because for whatever reason Cathay Pacific decided to make this calculated decision to inform the public and Hong Kong local authorities 7 months later. I am also sad that Cathay Pacific did not do enough to ensure passengers’ data are safe.
This is a crime. Cathay Pacific is a victim of a cybersecurity crime. As a citizen, we are obliged to report a crime committed to the police and respective authority in a timely manner. This is because we want to catch the criminal involved. We do not want this criminal to commit another crime. We want justice.
But for whatever reason, Cathay Pacific decided they are above the respective authorities, namely the Hong Kong Police and Hong Kong Privacy Commissioner for Personal Data and can take matters into their own hands. Yes, there are no laws in Hong Kong to report any cybersecurity crime within a certain timeframe. However, isn’t it a company’s responsibility to inform their customers’ that their data got leaked in a timely manner? Do Cathay Pacific want the assistance of the local authority to solve this cybersecurity crime? Who was involved? Who got into Cathay Pacific systems? Will we find out 7 months later or Cathay Pacific knew already but is too afraid to tell?
Yes, the argument is there that Cathay Pacific wanted to gather enough data about the security breach before informing the public. Yes, they are not obliged to require the help of the respective authority. It seems like there is no respect for the local authority by informing them 7 months later of such a crime. As an outsider looking at this, what Cathay Pacific is saying is that even if they told the authorities in March, there is nothing they could do to help.
Cathay Pacific is a victim of a cybersecurity crime but now they seem like a culprit for hiding this information from the public for 7 long months. If Cathay Pacific informed the respective authority immediately when this information is known, will the public have sympathy over the matter that Cathay Pacific is a victim?
I hope Cathay Pacific have a robust security measure in place to protect passengers’ data. They should have conducted cybersecurity risk assessment but they still got hacked and a crime is committed. These measures could only mitigate the risks involved. Unfortunately, after all these measures in place, Cathay Pacific has still fallen victim of such a crime but then why are they being a culprit now of such an event? The rationale behind their action cannot be explained rationally unless what they’ve told the public is just part of the story.
I share with you that you are angry that you were not informed in time as CX knew about this incident in March but did not disclose in October . Unfortunately, it is not a statutory requirement on data users to inform under the current Hong Kong Personal Data (Privacy Law) about a data breach incident concerning the personal data held by them. However, data users are nevertheless advised to do so as a recommended practice for proper handling of such incident. Such rule provided a loophole or allowed CX to not report this incident in a timely matter as it is not required to by law. However, there is a possibility that CX may have breached the rules under the GDPR which applies to protect EU individuals. According to GDPR, notification of a data breach must be made within 72 hours. At this point, it is unsure whether CX will fall into the ambit under GDPR. We need to gauge how this is interpreted and applied. Does CX process personal data of data subjects in EU where the processing activities are related to (i) the offering of goods or services to such data subjects in the EU, irrespective of whether a payment to the data subject is required or (ii) the monitoring of their behaviour as far as their behaviour takes place within EU? If so, CX will need to compensate affected EU passengers and fines of of up to €20 million or 4 per cent of turnover (whichever is greater). After this incident, Hong Kong should consider amending and further enhancing the Personal Data (Privacy) Law to ensure that corporations should notify a data breach within a certain period from date of notice. That way, it will reduce the number of angry and sad people like yourself.
You are right to be sad and angry as you were not notified until Oct. While it is not a statutory requirement on data users to inform the PCPD about a data breach incident concerning the personal data held by them, data users are nevertheless advised to do so as a recommended practice for proper handling of such incident. While CX may not be able to be fined under the currect Personal Data laws in Hong Kong, CX may be in breach of GDPR which applies to protect EU individuals. Before considering, We need to gauge how this is interpreted and applied. Does CX process personal data of data subjects in EU where the processing activities are related to (i) the offering of goods or services to such data subjects in the EU, irrespective of whether a payment to the data subject is required or (ii) the monitoring of their behaviour as far as their behaviour takes place within EU? If so, CX may be fined of up to €20 million or 4 per cent of turnover (whichever is greater). HK needs to better enact an amendment in law where corporations must notify when there is a data breach within a certain period of time. That way, people like you won’t be sad and angry!