Well, damn.
Turns out the massive leak of customer data reported by Cathay Pacific last month was even worse than the airline previously admitted.
The company was already under fire for waiting several months to disclose that personal details of 9.4 million customers had been compromised.
Now, it appears their initial characterization of the leak — which they described as “suspicious activity” — also left much to be desired.
Because, in a disclosure submitted to Legco today ahead of a hearing on the fiasco, Cathay Pacific acknowledged it was the victim of a prolonged hack “carried out by sophisticated attacker(s).”
After detecting the suspicious activity in March 2018, the airline contracted a global cybersecurity firm to understand and contain the incident.
However, the hacking attacks then continued for months, their statement today said.
“Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter,” the company wrote.
“These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention.
“These ongoing attacks also expanded the scope of potentially accessed data, making the challenge of understanding it more lengthy and complex in phase two of the investigation.”
It wasn’t until mid-August, that the company completed phase two of its investigation, namely, identifying what data was accessed and whether the data could be read by attackers.
According to the company, data compromised varied by affected passenger.
In different combinations, details accessed included names, nationalities, dates of birth, phone numbers, email addresses, postal addresses, travel documents and/or passport numbers, identity card numbers, frequent flyer membership numbers, customer service remarks, and/or historical travel information.
The airline found that “a very small number” of “mostly expired credit numbers” had been accessed by attackers but “in no case was the credit card data complete.”
Cyber security experts searched the dark web and other sites but found no evidence any of the stolen data had been uploaded to online forums.
Cathay said it waited until it had finished, as much as it could, identifying stolen data for individual passengers on October 24 before publicly revealing the hack.
“Cathay wanted to be able to give a single, accurate and meaningful notification to each affected passenger, rather than to provide an overly broad and non-specific notice,” it stated.
The company also said the hack occurred despite spending more than HK$1 billion (US$127 million) on IT infrastructure and security in the past three years.
“Our plans, which include growing our team of IT security specialists, will necessarily evolve in response to this challenging environment,” the company wrote.