A Cathay Pacific Airways staffer walks past self check-in machines at the Hong Kong Airport in Hong Kong, China. Picture: REUTERS
A Cathay Pacific Airways staffer walks past self check-in machines at the Hong Kong Airport in Hong Kong, China. Picture: REUTERS

Singapore — Cathay Pacific Airways  has enlisted a company that was itself once caught up in a hacking scandal to help deal with the fallout of a data breach that affected more than 9-million passengers.

Asia’s biggest international carrier is offering customers hit by the hack — which saw passport details to e-mails illegally accessed — the option to take up a service provided by Experian   to monitor whether their information is being misused online.

But the Nottingham, England-based credit-tracking firm had its own experience with hacking in 2015, when a breach saw the data of 15-million subscribers of T-Mobile US  held on Experian’s servers exposed. The company was sued over the incident, along with the telecommunications provider.

Cathay has lost more than $320m in market value since news of the hack broke, as investors and customers question the company’s handling of the situation. The airline, which said it first discovered the breach in March and confirmed it in May, did not disclose it until October 24, in a late-night statement to the Hong Kong stock exchange.

When queried on Experian’s history, Cathay declined to comment. The airline said the time taken to disclose the breach was mainly due to the complexity of the data, and because the event required considerable investigation. “We are focused now on assisting affected customers.”

Bigger challenge

The airline is just the latest company to have its data hacked, with Facebook, and fellow air carriers British Airways  and Delta Air Lines  all targeted over the past year. While firms have spent millions of dollars on sophisticated tools to shield their computer networks from attack, data security has become increasingly challenging.

Hackers are on the rise, with many stealing troves of personal data that can be sold on the black market and used to carry out financial crimes.

Experian helps track stolen data, when it shows up on websites, chat rooms, blogs or for sale in corners of the internet, often known as dark websites. It is entirely up to the user to decide how much information they want to share if they choose to subscribe to the one-year, free service, Cathay said in emails to affected passengers offering the service.

Top priority

The security of customer data is “top priority”, and Experian aims to provide protection and assistance to those affected, Sisca Margaretta, the company’s Singapore-based chief marketing officer for Asia Pacific, said in an e-mail. Referring to the past incidents, she said Experian’s consumer credit database was not accessed and no payment card or banking information was obtained.

“We actively monitor our systems and are continually updating our security protocols to protect data stored on our systems,” she said.

Laura Gabriela Politis, 36, a Cathay Pacific customer, said she was not  sure she would  take up the offer to use the Experian service.

“That company has [had] a data breach themselves — and they’re asking for more information when your data has been compromised,” said the Hong Kong-based traveller, who often flies to Singapore, the US and Europe both for business and on holiday. “I still don’t understand why it took them months to let us know.”

Names, addresses

The information accessed in the Cathay hack included names, nationalities, dates of birth, phone numbers, e-mails, physical addresses, numbers for passports, identity cards and frequent-flier programmes, as well as historical travel information.

Flight safety was not  compromised and there was no evidence any information has been misused, Cathay said, without revealing details of the origin of the attack.

Hong Kong’s government said on Friday it is “highly concerned” about the incident and has asked the airline to “fully cooperate” with the Privacy Commissioner for Personal Data on a compliance check.

The delay in disclosing the breach could expose Cathay to lawsuits, said Robert Braun, a partner at Jeffer Mangels Butler & Mitchell in Los Angeles and co-chair of the firm’s cybersecurity and privacy group.

“That’s always a problem when you have that kind of delay,” he said. “That means the information is out in the wild and people aren’t aware they can take steps to protect it.”