Most Devastating Airline Hack in History

Hong Kong-based airline Cathay Pacific claims that a "malicious, criminal attack" on its website has hit over 9 million passengers. Data including passport numbers, identity card numbers, email addresses and credit card details had been accessed. The leak occurred just as the troubled airline battles to stem major losses as it faces pressure from lower-cost Chinese carriers and Middle East rivals.

Background 

Cathay Pacific Airways Limited is the flag carrier of Hong Kong, with its head office and main hub located at Hong Kong International Airport. The airline's operations and subsidiaries have scheduled passenger and cargo services to more than 190 destinations in more than 60 countries worldwide including codeshares and joint ventures. 

The airline was founded on 24 September 1946 by Australian Sydney H. de Kantzow and American Roy C. Farrell. The airline made the world's first non-stop transpolar flight flying over the North Pole in July 1998, which was also the maiden flight to arrive at the then-new Hong Kong International Airport.

Cathay Pacific is the world's tenth largest airline measured in terms of sales, and fourteenth largest measured in terms of market capitalisation. It booked its first back-to-back annual loss in its seven-decade history in March 2018 and had previously pledged to cut 600 staff, including a quarter of its management, as part of its biggest overhaul in years.

In a similar incident, September 2018, the personal and financial details of about 380,000 customers who booked flights on British Airways website and mobile phone app over several weeks had been stolen. The revelation came just a few months after the European Union tightened data protection laws with the so-called General Data Protection Regulation (GDPR). The airline took out full-page adverts in UK newspapers to apologise to customers, while the share price of parent group IAG was hit. 

Analysis 

Cathay Pacific Airways Ltd. became the target of the world’s biggest airline data breach after a hacker accessed credit card, passport and personal details of some 9.4 million customers.

The airline’s shares slumped to the lowest intraday level in nine years, shaving as much as $361 million off its market value, after the Hong Kong-based carrier said it discovered suspicious activity on its network in March and confirmed the unauthorized access in May. Flight safety wasn’t compromised and there was no evidence any information has been misused, it said, without disclosing details of the origin of the attack.

“This is quite shocking,” said Shukor Yusof, founder of aviation consulting firm Endau Analytics in Malaysia. “It’s probably the biggest breach of information in the aviation sector.” Impacting more people than the population of Cathay Pacific’s home base of Hong Kong, the hack is in another league, when compared to breaches reported by British Airways Plc and Delta Air Lines Inc. this year. Those carriers boosted spending on cyber security after hacks, which saw personal and financial information of hundreds of thousands of customers illegally accessed. 

 It is uncertain if Cathay Pacific would be liable to any fines imposed by government authorities for such a breach. The data breach at Cathay -- a partner of British Airways in the Oneworld airline alliance -- adds to the carrier’s woes, with Chief Executive Officer Rupert Hogg trying to turn it around after two straight annual losses. Shares of Cathay Pacific tumbled as much as 6.8 percent to their lowest intraday level since June 2009. 

The hack exposed names, nationalities, dates of birth, telephone numbers, email, physical addresses, numbers for passports, identity cards and frequent-flier programs, and historical travel information; 403 expired credit card numbers; About 860,000 passport numbers and 245,000 Hong Kong IDs. Hong Kong’s privacy commissioner expressed serious concern over the leak and said the office will initiate a compliance check with the airline. A dedicated website, infosecurity.cathaypacific.com, provides information about the event and what affected passengers should do next. Some local lawmakers criticized Cathay for taking seven months to reveal the breach. Lam Cheuk-ting, a member of the Legislative Council’s security committee, told reporters that many people in Hong Kong are angry and the airline should’ve taken the initiative the very first day it found out. Cathay’s Chief Customer and Commercial Officer Paul Loo said the airline wanted to have accurate grasp on the situation and didn’t wish to “create unnecessary panic,” AFP reported. 

Upon discovery, Cathay said it took immediate action to contain the event and started a “thorough” probe with the assistance of a cybersecurity firm and bolstered its network security. 

Assessment 

Our assessment is that the share prices of Cathay Pacific will remain unsteady for a short while. We believe that this breach is further evidence that major airline carriers must ensure their customers data is protected by multiple layers of security. The losses from failing to do so greatly outweigh the costs of compliance.