Cathay Apologizes Over Data Breach but Denies Cover-up
15.11.2018 securityweek Incindent
The top two executives at Hong Kong carrier Cathay Pacific on Wednesday apologized for the firm's handling of the world's biggest airline hack that saw millions of customers' data breached but denied trying to cover it up.
The CEO and chairman also said the crisis "was one of the most serious" in the embattled firm's history and would act differently in a similar situation in future.
The pair were summoned to the city's legislative council to explain to lawmakers why it had taken five months to admit it had been hacked and the data of 9.4 million customers compromised, including passport numbers and credit card details.
Lawmakers slammed the delay as a "blatant attempt" to cover up the incident and thereby deprive customers of months of opportunities to take steps to safeguard their personal data.
However, chairman John Slosar said: "I'd like to make it absolutely clear that there was never any attempt to cover anything up."
He added: "I see it as one of the most serious crises that our airline has ever faced."
Earlier he had read a statement to LegCo in which he said: "I must personally apologise directly to you and the people of Hong Kong."
It emerged this week that the breach was the result of a sustained cyber attack for three months.
The airline had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May but did not make it public until October 24.
CEO Rupert Hogg explained the company needed time to establish the nature of attacks, contain the problem and identify stolen data, but said it "did regret the length of time" it took.
"We've learnt a lot of lessons from trying to do what we believe was right, which was to get accurate information about our customers, make sure that we knew what information pertained to them. We would do it a different way tomorrow indeed," Hogg said.
When pressed by lawmaker Kwok Ka-ki on whether Cathay would report to its customers immediately if there was another leak, Slosar said: "We will report instantly, yes."
Slosar also told lawmakers that the data breach issue was of great public interest but the information was not material or price sensitive.
The airline has contacted the customers affected.
The firm is already battling to stem major losses as it comes under pressure from lower-cost Chinese carriers and Middle East rivals.
It booked its first back-to-back annual loss in its seven-decade history in March and has previously pledged to cut 600 staff including a quarter of its management as part of its biggest overhaul in years.
Hong Kong-listed shares in the firm ended up 2.25 percent at HK$10.90.