News Insights: The Cathay Pacific Breach


Airline hack exposes 10 million people’s most personal information

Cathay Pacific has been hacked and some 9.4 million customers may have had their most personal data stolen, the airline has warned. The breach included passport details and credit card numbers, Hong Kong’s flag carrier said. The company found the hack during a review of its IT security processes, it said. While it was doing so, it found that someone had broken into an information system including passenger data on the 9.4 million people, it said.



Ryan Wilk, VP of customer success for NuData Security, a Mastercard company, provided the following insights:

“Data in the wrong hands – especially payment card information – can have a huge impact on customers, far beyond the unauthorized use of their cards. Payment card information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organizations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans, and much more. Every hack has a snowball effect that far outlasts the initial breach.

All customer information is valuable to fraudsters. Name, physical and email addresses, passwords, the content of emails – everything that can be used to compile an identity will be used. We must change the current equation of ‘breach = fraud’ by changing how we think about online identity verification. We need to protect all customer data, but more importantly, we need to make it valueless.

Multi-layered technology that thwarts fraud exists right now. Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data. This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behavior.

Analyzing customer behavior with passive biometrics is completely invisible to users. It has the added benefit of providing valid users with a great experience without the extra friction that often comes with other customer identification techniques. When fraudsters try to use stolen customer data or login credentials, they will find the data is useless.

The balance of power will return to customer protection when more companies implement such techniques and technology.”


Randy Abrams, Senior Security Analyst at Webroot, said:

“Airlines appear to be an increasingly popular target for cybercriminals. In recent months, Air Canada and British Airways have suffered breaches. However the Cathay Pacific breach disclosed a feature-rich set of data, including more than 40 times more passports than the Air Canada breach, meaning it will have a much greater impact on passengers.

In addition to potential monetary theft, having a high number of passports compromised with passenger history and information should be of significant concern to governments across the world as they try to secure their borders. The sheer amount and quality of data leaked can make for extremely targeted social engineering attacks. Being able to incorporate details such as travel history can enable cybercriminals to create exceptionally plausible social engineering attacks against enterprises, helping fuel future attacks.

In addition to the reputation cost, Cathay Pacific may face costly GDPR repercussions due to the amount of time that passed between the discovery of the breach and reporting it to the public. It is clear that all airlines are squarely in the crosshairs of cybercriminals, and as such must be significantly more vigilant. Airlines are not random targets to cybercriminals.”