It happened in March, so why are we hearing about it now?

It’s happened again. After Uber, British Airways, U.S. Strategic Command, Apple, Delta and countless other companies – Cathay Pacific has now been confirmed as the latest victim of a  massive data breach. The Hong Kong based airline has faced headwinds in 2018 with the rise of low cost carriers entering the Asian market, and now the delayed announcement of an incredibly large scale data breach also stands in the way. The breach occurred in March, which has many voices wondering, why wait to tell us until now?…

9.4 Million Customers

According to Reuters, the Cathay Pacific data breach affects 9.4 million customers, including 860,000 passport numbers and 240,000 Hong Kong Identity Cards. The breach is also said to affect credit card data, though the company comments that a large majority were expired, or did not also contain the CVV code, commonly referred to as the three digit security code. Cathay Pacific released a formal statement detailing the extent of the access…

“Accessed data includes names of passengers, their nationalities, dates of birth, telephone numbers, email and physical addresses, passport numbers, identity card numbers and historical travel information”.

March Breach, October Statement

The playbook of late, as evidenced in recent breaches such as British Airways, has been to come clean immediately. It makes sense. Customer data is sensitive, and in the world of GDPR, people deserve to know when their data has been accessed, with immediate effect. Cathay Pacific is said to have discovered the breach in March of 2018, and confirmed it in May. Yet here we are, at the tail end of October, and the breach is just being made public. How could the airline have possibly thought this breach would remain private, and why would they try to hide it from 9.4 million affected customers? These are questions which currently do not have answers.

The Story So Far

Cathay Pacific has referred the matter to Hong Kong Police, and says that no passenger data has been misused so far. Of course, that’s not an easy statement to verify. That’s serious business. At this time, there’s nothing for passengers to do other than wait, and hope their personal information isn’t used for nefarious purposes…