Information leakage involving 9.4 Million Individuals
Whilst passengers might still be waiting in the telephone queue hoping to get further advice from their banks or credit card providers in dealing with the data theft from the British Airways’ website and mobile app, another flag carrier, Cathay Pacific (“CX”) made an announcement of one data security incident on 24th October 2018 pursuant to the Securities and Futures Ordinance. Similar statement was also posted on its website on the same date: “Cathay Pacific announced today that as part of its ongoing IT security processes, it has discovered unauthorized access to some of its information system containing passenger data of up to 9.4 million people.”
Affected customers were only officially informed by the airline that their personal information had been compromised one day after the announcement was issued. The general public had only learned through media that ‘suspicious activity’ on CX’s network had in fact been discovered as early as March 2018. CX then commenced a ‘thorough investigation’ with the assistance of a ‘leading cybersecurity firm’ and to ‘further strengthen its information system security measures’. In May 2018, CX confirmed there had been a data breach. It is unclear from the statements and interview reports the real reason why CX has had to wait for almost 6 months to report the leakage to the Privacy Commissioner in Hong Kong (“the Commissioner”), Hong Kong Police and other authorities. Chief customer and commercial officer’s explanation on ‘avoiding “unnecessary panic” among customers’ seems not quite satisfactory as the aggrieved data subjects now realize they have been kept in the dark about the incident for months, which in turn they have been deprived of the very first opportunity to take actions to mitigate their loss suffered.
According to CX, the types of personal data which was accessed and affected include: name, nationality, date of birth, phone number, email address, passport number, identity card number, frequent flyer programme membership number, customer service remarks and historical travel information. Approximately, 860,000 passport numbers and 245,000 Hong Kong identity card numbers were accessed. Surprisingly, with the reported number of affected individuals, CX claimed that only 403 expired credit card numbers and 27 credit card numbers with no CVV (card verification value) were targeted.
Save and except an extremely brief summary, up till now, CX is still unable to provide further elaboration on details of the so-called ‘suspicious activity’ discovered during the course of its ‘ongoing IT security processes’. Cyber-security researcher Anthony Lai Cheuk-tung has indicated during an interview with one newspaper report that it was possible CX’s IT vendor, which was authorised to access the customer database, might have been hacked while they were carrying out testings. Mr. Lai also understand from CX that the IT vendor has made use of real data of existing CX’s customers for software testings and casts serious doubt on the security measures adopted by the IT vendor. It is suspected that the IT vendor might have failed to install firewall which allowed hackers to gain free and unlimited access to CX’s customers data.
Hong Kong: DPP 4 and Guidance Notes
Among the six data protection principles stipulated under the Personal Data (Privacy) Ordinance (“the Ordinance”), Data Protection Principle 4(1) (“DPP4(1)”) provides that a data user shall take all reasonably practicable steps to ensure that the personal data held by it is protected against unauthorized or accidental access, processing, erasure, loss or use, having particular regard to the kind of the data and the harm that could result if any of those things could occur. Data users who have entrusted data processing work to agents should also pay attention to Data Protection Principle 4(2)(“DPP4(2)”): if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on its behalf, the data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.
To facilitate the data users’ understanding on the compliance requirements of DPP4(2), the Commissioner has issued an Information Leaflet on ‘Outsourcing the Processing of Personal Data to Processors’ in September 2012. Data users can choose to adopt contractual or other means so as to monitor data processors’ compliance with data protection requirement. No matter what, data users must be satisfied that their data processors are competent and have good track records. In addition, they should ensure the processors have adequate policies and procedures and effective security measures in place so that the personal data in their care is properly safeguarded at all times. Data users should also have the right to audit and inspect how their processors handle and store personal data, and exercise such right whenever necessary.
Action Against CX
In Hong Kong, although it is not a mandatory requirement under the Ordinance to report a data breach, data users are still bound by data principles and requirements in relation to security and under the Ordinance. Right after the CX’s announcement was out, the Commissioner reassured the general public that his office (“PCPD”) would initiate a compliance check on CX. In the course of a compliance check, PCPD will point out to the data user concerned any deficiency in their existing operation in terms of data protection and may conduct investigation of suspected breaches pursuant to section 38(b) of the Ordinance thereafter. For the present incident, CX has outsourced its IT operation to a third party data processor (i) whom might have used live data in a testing environment; and (ii) their system had been under attack during software or system testings. If investigation is warranted upon completion of compliance check due to possible contravention of the Ordinance, we expect PCPD will focus on examining whether CX has complied with DPP4(1) and (2), in particular whether CX has fulfilled the obligations under DPP4(2) and what steps CX have taken to prevent the data breach.
If the Commissioner determines CX has failed to take reasonable practicable steps to ensure their customers’ data is handled properly based on the findings and analysis conducted during the investigation, he may consider to serve upon CX an enforcement notice, directing them to take remedial actions to prevent future recurrence.
As a matter of fact, PCPD has initiated investigation on a similar leakage involving another airline services company in 2013 and 2014. The said airline services company ran a mobile application using iOS platform, the same of which was maintained by a third party app maintenance contractor. The leakage was resulted from the failure of the contractor in responding to a new privacy protection feature of iOS7. The Commissioner found the airline services company had contravened DPP4(1) for failing to take all reasonable practicable steps to ensure the operation of the mobile application was protected against unauthorized or accidental access, and a warning was issued to the said company due to the breach.
Action Against IT Vendor
If CX’s IT vendor was indeed using real customer’s data for testings, they must have control over the processing of data kept in CX’s database during the development and maintenance of CX’s software and system. The CX’s IT vendor is thus classified as ‘data user’ under the Ordinance and the Commissioner may then take direct enforcement action against the same if he reaches a finding of contravention upon conclusion of investigation.
GDPR: 72 Hours Notification and Action for Compensation
The European Union’s latest General Data Protection Regulation (GDPR), which came into force on 25 May 2018, requires companies to notify personal data breaches to data protection authorities (DPA) not later than 72 hours “after having become aware of it”. Based on CX’s representations, they should then have reported the breaches to DPA in all relevant countries once they have confirmed there was unauthorized access to certain personal data of their customers in early May 2018. Despite the fact that CX might have been aware of the breach before GDPR’s date of coming into effect, there is no information which suggests that CX has either filed the notification with DPAs or informed the affected data subjects of the breach right after 25 May 2018.
Under the new regulations, infringers may have to deal with claims by affected individuals in flux as data subjects are now entitled to seek compensation from data controllers or processors concerned for damage suffered as a result of an infringement. They may at the same time be exposed to a fine of up to 4 percent of their annual global revenue.
Our Point of View
In addition to overseeing day to day security of data processing, this incident reflects the need for data users to have in place appropriate technical and organizational measures for incident detection and response. A good incident response plan is not only about formulating a list of responsible persons for the incident response team and their respective roles, but also securing the formal understanding and approval of senior leadership on the same. Besides, the plan should include a detailed communication plan for dealing with third parties, including but not limited to regulatory enforcement authorities, aggrieved data subjects, insurers, media, the general public.
Hugill & Ip will continue to monitor the development of this incident. In the meantime, we can assist organizations and individuals on data privacy issues, both in Hong Kong and through our international network. For a better understanding of how we can assist you, please feel free to contact us.