Report released on Cathay Pacific 2018 data breach

cathay pacific

Cathay Pacific has been ordered to take remedial action following the data breach exposing 9.4 million people.

The Hong Kong Privacy Commissioner for Personal Data, Stephen Kai-Yi Wong released an official report detailing an investigation into the Cathay Pacific breach.

At the time the breach was discovered, it was found that customer data including passenger names, nationalities, dates of birth, identity card numbers and travel history had been accessed without authorisation.

The report wrote that in its internal investigation the cause of the incident was traced back to a pair of groups, whereby the first group dropped a key-logger onto a reporting system in October 2014 which was used to harvest user account credentials. However, the report noted it was not aware as to how the group entered the system.

Whilst the second group exploited an old vulnerability of an Internet Facing Server which enabled them to bypass authentication and gain administrative access.

Cathay claimed that it had run a vulnerability scan on the Internet Facing Server before it went live however the scan did not identify the vulnerability. Additionally, Cathay claimed that the anti-malware and endpoint protection was unable to detect the relevant malware and utilities due to no publicly available signatures.

Wong wrote:

“Cathay failed to identify the commonly known exploitable vulnerability and the exploitation, and did not take reasonably practicable steps to accord due deployment of the internet facing server (Internet Facing Server).

“Cathay’s vulnerability scanning exercise for the internet facing server at a yearly interval was too lax in the context of effectively protecting its IT System against evolving digital threats.”

The report criticises Cathay for not implementing multi-factor authentication to all remote access users for accessing its IT system involving personal data as well criticised for producing an unencrypted database backup files “to facilitate migration of data centre without adopting effective security controls, thus exposing the personal data of the Affected Passengers to attackers”.

The Commissioner has served an enforcement notice on Cathay directing Cathay to utilise an independent data security expert to overhaul the systems containing personal data “to the effect that these systems are free from known malware and known vulnerabilities”.

As well as directing Cathay to implement an effective multi-factor authentication, scanning for vulnerabilities more often, conducting reviews/tests of the security of Cathay’s network, and creating a “clear data retention policy”.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.