There are no Hong Kong laws to force companies to reveal data leaks, the city’s privacy commissioner said today, following revelations that Cathay Pacific waited for several months to publicly announce that personal details of more than 9 million customers had been compromised.
Stephen Wong made the comments on a RTHK radio program today, saying such cases did not trigger a “legal responsibility” but were a “moral responsibility.
He also discussed his own concerns that fraudsters may attempt to use information gleaned from the massive leak to target individuals with phishing attacks.
Wong told the public broadcaster he personally had received an email purporting to be from Cathay though had chosen not to open it out of fear it could be such a scam, RTHK reported.
Phishing refers to when scammers attempt to get sensitive information like passwords by sending an email or message falsely claiming to be from a legitimate institution.
Following the leak, discovered by Cathay in May but only revealed last week, Wilson Wong, a general manager at the Hong Kong Productivity Council who specializes in cyber security, warned victims of the breach could be at greater risk of being targeted. Cathay also voiced similar fears, according to the SCMP, which today reported the airline had called in police to investigate the breach.
Speaking at a RTHK forum, Wong noted phishing attacks were more difficult to detect if scammers have accurate personal details.
The airline said Wednesday it had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May.
However, chief customer and commercial officer Paul Loo said officials wanted to have an accurate grasp on the situation before making an announcement and did not wish to “create unnecessary panic.”
The airline admitted about 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed.
Local politicians slammed the carrier, saying its response had only fuelled worries.
In his remarks today, Wong called on people to be vigilant. He added his office had received 24 complaints about the data breach so far.
Half of these, according to RTHK, concern compensation issues, while others expressed frustration at the delay in the public being notified.
Referring to past cases, Wong said it was “not easy” to seek compensation in such situations, though he said that there was a chance people could take action if they could prove they had suffered emotional damage from the leak.
With the breach affecting people worldwide, one legal group has encouraged victims to seek compensation via European Union’s General Data Protection Regulation (GDPR), which requires companies report such incidents within 72 hours or face heavy fines, according to the SCMP.
However, noting the GDPR didn’t take effect until May 25, a lawyer speaking to the Hong Kong Economic Journal questioned whether Cathay would be liable under the regulations.