[BreachExchange] Cathay Pacific cyberattack far worse than thought after airline admits facing intense hack for more than three months

[Destry Winant]

https://www.scmp.com/news/hong-kong/law-and-crime/article/2172796/cathay-pacific-cyberattack-far-worse-previously-thought

A major cyberattack that saw the data of 9.4 million Cathay Pacific
Airways customers stolen by hackers was far worse than the airline has
previously admitted.

Rather than the “suspicious activity” it said it had discovered on its
billion-dollar computer network in March, the carrier revealed on
Monday that it had been the target of an intense attack lasting more
than three months.

Cathay made the shock admission in a written submission to Hong Kong
lawmakers ahead of a committee hearing to question the airline’s
management team on Wednesday morning.

Such was the intensity of the attack, Cathay said internal and
external IT security experts had to focus solely on containment and
prevention throughout March, April and May.

The airline also revealed it had spent HK$1 billion (US$128 million)
over three years on IT infrastructure and security, but it was not
enough to stop what it called “sophisticated attackers” repeatedly
targeting and breaching its system.

Cathay’s investment in its IT system included spending on two large
data servers and cloud computing, and came during a period when it
generated HK$292 billion (US$37 billion) in revenue.

On October 24, the airline revealed it had suffered a major data
breach seven months earlier, and said it had taken steps to
investigate whether customer data had been compromised.

It took until mid-August for investigators to discover what hackers
had been able to steal, and how it had affected customers.

“Cathay was subject to further attacks which were at their most
intense in March, April and May but continued thereafter,” the airline
said in its statement. “These ongoing attacks meant that internal and
external IT security resources had to remain focused on containment
and prevention.”

Cathay’s revelations contradict statements it made earlier about what
it knew about the cyberattack, and when.

Questioned on a radio show a day after revealing the hack, Paul Loo
Kar-pui, the airline’s chief customer and commercial officer, said the
company was not able to confirm if its IT system had been breached
until early May.

At the time, he did not mention the fact the firm had been subjected
to attacks for more than three months.

The hack has prompted a formal investigation by the Hong Kong privacy
watchdog, while a police investigation is ongoing.

“The investigation was complex, longer than what we would have wished,
and we would have liked to have been able to provide this information
sooner,” the airline said.

Cathay, one of Asia’s largest international carriers, has been roundly
criticised for not telling customers about the hack immediately. On
Monday it repeated expressions of “great regret” and “sincere
apologies” to the affected passengers, and hoped to “continue to earn
their confidence and trust”.

“Throughout our investigation into this incident, our foremost
objective and primary motivation has been to support our affected
passengers by providing accurate and meaningful information,” the
statement said.

Lawmaker Charles Mok, representing the IT sector, said the company had
missed three opportunities over the course of seven months to go
public.

“March, May, August they missed all these opportunities to report it,”
said Mok, who was unequivocally critical of the airline’s briefing
note given to the Legislative Council.

“I think the answers are very vague… they didn’t elaborate.”

Information accessed by the hackers included passengers’ names,
nationalities, dates of birth, telephone numbers, email and home
addresses, frequent flier programme membership numbers, passport
numbers, Hong Kong ID card numbers and expired credit card numbers.

Of the 9.4 million people affected, customers included members of the
Asia Miles loyalty programme, the Marco Polo Club frequent flier
scheme, as well as non-member passengers.

Cathay CEO Rupert Hogg, chairman John Slosar and Loo, who is
responsible for the airline’s IT division and chairman of Asia Miles,
are expected to attend the committee hearing on Wednesday.