Cathay enlists firm once sued for data breach to help after hack

Cathay Pacific Airways Ltd. has enlisted a company that was itself once caught up in a hacking scandal to help deal with the fallout of a data breach that affected more than 9 million passengers.

Asia’s biggest international carrier is offering customers hit by the hack – which saw passport details to emails illegally accessed – the option to take up a service provided by Experian Plc to monitor whether their information is being misused online.

But the Nottingham, England- based credit-tracking firm had its own experience with hacking in 2015, when a breach saw the data of 15 million subscribers of T-Mobile US Inc. held on Experian’s servers exposed. The company was sued over the incident, along with the telecommunications provider.

Cathay has lost more than USD320 million in market value since news of the hack broke, as investors and customers question the company’s handling of the situation. The airline, which said it first discovered the breach in March and confirmed it in May, didn’t disclose it until Oct. 24, in a late-night statement to the Hong Kong stock exchange.

When queried on Experian’s history by Bloomberg News, Cathay declined to comment. The airline said the time taken to disclose the breach was mainly due to the complexity of the data, and because the event required considerable investigation. “We are focused now on assisting affected customers.”

The airline is just the latest company to have its data hacked, with Facebook Inc., and fellow air carriers British Airways Plc and Delta Air Lines Inc. all targeted over the past year. While firms have spent millions of dollars on sophisticated tools to shield their computer networks from attack, data security has become increasingly challenging. Hackers are on the rise, with many stealing troves of personal data that can be sold on the black market and used to carry out financial crimes.

Experian helps track stolen data, when it shows up on websites, chat rooms, blogs or for sale in corners of the internet, often known as dark websites. It is entirely up to the user to decide how much information they want to share if they choose to subscribe to the one-
year, free service, Cathay said in emails to affected passengers offering the service.

The security of customer data is “top priority,” and Experian aims to provide protection and assistance to those affected, Sisca Margaretta, the company’s Singapore-based chief marketing officer for Asia Pacific, said in an email. Referring to the past incidents, she said Experian’s consumer credit database was not accessed and no payment card or banking information was obtained.

“We actively monitor our systems and are continually updating our security protocols to protect data stored on our systems,” she said.

Laura Gabriela Politis, 36, a Cathay Pacific customer, said she isn’t sure she’d take up the offer to use the Experian service.

“That company has [had] a data breach themselves – and they’re asking for more information when your data has been compromised,” said the Hong Kong-based traveler, who often flies to Singapore, the U.S. and Europe both for business and on vacation. “I still don’t understand why it took them months to let us know.”

The information accessed in the Cathay hack included names, nationalities, dates of birth, phone numbers, emails, physical addresses, numbers for passports, identity cards and frequent-flier programs, as well as historical travel information. Flight safety wasn’t compromised and there was no evidence any information has been misused, Cathay said, without revealing details of the origin of the attack.

Hong Kong’s government said Friday it is “highly concerned” about the incident and has asked the airline to “fully cooperate” with the Privacy Commissioner for Personal Data on a compliance check.

The delay in disclosing the breach could expose Cathay to lawsuits, said Robert Braun, a partner at Jeffer Mangels Butler & Mitchell LLP in Los Angeles and co-chair of the firm’s cybersecurity and privacy group.

“That’s always a problem when you have that kind of delay,” he said. “That means the information is out in the wild and people aren’t aware they can take steps to protect it.” Bruce Einhorn, Kyunghee Park and Jinshan Hong, Bloomberg