EVERYONE’s personal data information on the internet is safe. Until the next attack.

This fragile security condition of data online has proved inadequate again with the data breach that hit Cathay Pacific Airways Ltd.

Cathay Pacific Airways
Image: Pixabay.

The National Privacy Commission (NPC) headed by Commissioner Raymund E. Liboro learned about the hacking of the airline’s data on March 13 after it informed the agency.

An order was in order (no pun intended), as the NPC showed.

“This order is being issued under the power of this Commission to compel any entity to abide by its orders on a matter of data privacy, in relation to a data breach submitted by Betita Cabilao Casuela Sarmiento for and in behalf of Cathay Pacific (Cathay),”

And the order?

The NPC through lawyer Francis Euston R. Acero, division chief, Complaints and Investigation Division, and Gilbert V. Santos, director IV, Legal and Enforcement Office, ordered the Chinese airline to:

● Explain within ten (10) days why Cathay should have this Commission overcome the presumption that there has been a failure to timely notify this Commission about the occurrence of a data breach requiring timely notification giving rise to criminal liability on the part of the responsible officers of Cathay; and

● Submit within five (5) days further information on the measures take to address the breach.

It was gleaned from an NPC email message sent to SDN — Scitech and Digital News that the airline notified the agency through a letter on October 25 last month.

NPC logo bImage: from NPC.

As related by the government agency, citing lawyer Pericles Casuela of Cathay Pacific, the airline noticed suspicious activity on its network on March 13, prompting it to start an internal investigation assisted by a cybersecurity company — Mandiant.

Forensics investigate data breach

Then on May 27, the forensics investigators of the airline confirmed unauthorized access to some information systems within the airlines’ network, at the same time being able to determine the data accessed or ex-filtrated by unknown individuals.

Affected by the hacking attack, presumably by still unidentified cybercriminals, are Cathay Pacific and Hong Kong Dragon Airlines Ltd. passengers’ personal data.

Covered by the breach included passenger name; nationality; date of birth; phone number; email address; credit card number; address; passport number; identity card number, frequent flyer membership number; customer service remarks; and historical travel information, the NPC said in its four-page order to the airline management.

On the other hand, the NPC emphasized that there was no information on travel or loyalty profile was accessed in full and no passwords were compromised.

The privacy commission, again from Cathay Pacific’s report on the data breach it received, “Cathay ‘very recently’ determined the Philippine nationality of those compromised in the attack through passport details, or where other personal data in Cathay’s possession contained a Philippine address or telephone number.”

Of the Philippine data subjects (read: Filipinos) affected: Some 102,209 Philippine data subjects had their data compromised; roughly 35,700 passport numbers from the Philippines were exposed; and there were 144 credit card numbers exposed.

The NPC reminded Cathay Pacific of the requirement to report data breaches to the Commission.

Notification requirement

“Under Philippine law, notification to this Commission and to the data subjects of the existence of a data breach become mandatory when: (a) what is involved is data is classified as sensitive personal information or information that can be used to enable identify fraud; (b) there is reason to believe that this information is in the hands of an unauthorized person; and (c) there is a real risk of serious harm to the data subject,” the NPC through Acero and Santos said.

The NPC also cited that “intentionally or by omission conceals that fact of such security breach” would make the persons who knew it be liable for criminal prosecution under Philippine law.

“On the surface, there appears to be a failure on the part of Cathay to report to this Commission what it knew about the data breach at the time it confirmed unauthorized access, and what the affected data fields are.

“Cathay’s term, ‘very recently,’ does not establish any timeline through which we may determine the timelines of the report dated 25 October 2018,” the privacy commission said. (EKU)