100,000 Filipinos affected by data breach that hit airline | Inquirer News

100,000 Filipinos affected by data breach that hit airline

/ 09:50 PM November 10, 2018

Cathay Pacific workers

In this photo, taken on March 15, 2017, Cathay Pacific employees work at their counters at the international airport in Hong Kong. (Photo by ANTHONY WALLACE / AFP)

Updated @ 11:40, Nov. 10, 2018

The personal data of over 100,000 Filipinos, including passport and credit card information, were compromised in a data breach at Hong Kong flag carrier Cathay Pacific Airways earlier this year.

Article continues after this advertisement

The National Privacy Commission (NPC) said the data breach was first detected in March and confirmed in May this year, but Cathay Pacific informed the NPC only on Oct. 25 that Filipinos were affected.

FEATURED STORIES

“Among those fields taken were passenger name, nationality, date of birth, phone number, e-mail, credit card number, address, passport number, identity card number, frequent flyer membership number, customer service remarks and historical travel information,” the NPC said.

102,209 affected

The agency said a total of 102,209 Filipinos were affected in the data breach and the information in 35,700 passports and 144 credit cards were likely compromised.

Article continues after this advertisement

The extent of the data compromised varies for each person, but it was a breach that involved 9.4 million passengers worldwide, Cathay Pacific said.

Article continues after this advertisement

While the breach was found months earlier, the company claimed that it only determined “very recently” that Filipinos were also affected, the NPC said, citing the Cathay Pacific report.

Article continues after this advertisement

Apparent failure to report

“On the surface, there appears to be a failure on the part of Cathay to report to this commission what it knew about the data breach at the time it confirmed unauthorized access, and what the affected data fields are,” the NPC said in an order dated Oct. 29 but released only on Saturday.

Article continues after this advertisement

Under the country’s Data Privacy Law, a company or agency needs to notify the NPC within 72 hours Cathay Pacific learned or even reasonably suspected that a data breach happened.

Show cause order

This notification is mandatory if the data could be used to enable data fraud, if it’s in the wrong hands, and if there’s a real serious harm to the person, the NPC said.

Moreover, mandatory notification applies especially if the data is about the financial or economic situation of the person.

The NPC has ordered the airline to explain why it should not be prosecuted under the Data Privacy Act, which imposes criminal liability for the failure to notify.

The NPC asked the company to explain within 10 days why the airline should not be presumed to have failed to notify, which could make company officials criminally liable.

The NPC also told the company to submit within five days further information on measures that have been taken to address the breach.

Hong Kong also involved

Francis Acero, NPC division chief for complaints and investigations, told the Inquirer the airline would be given sufficient time to respond.

“[But] we don’t know when they received [the order]. We’ll let the process take its course,” he said.

Aside from the NPC, the Hong Kong government is also demanding more answers from the airline.

The Hong Kong government expressed on Oct. 26 its serious concern about the incident and ordered the airline to cooperate with its privacy agency.

The airline came under fire from the Office of the Privacy Commissioner for Personal Data, for not disclosing the problem until more than half a year later, according to the South China Morning Post.

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our daily newsletter

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

The newspapers quoted the airline as saying that it would “cooperate fully with authorities” and that it was in the process of contacting affected passengers. /atm /pdi

TAGS:

No tags found for this post.
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our newsletter!

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

© Copyright 1997-2024 INQUIRER.net | All Rights Reserved

This is an information message

We use cookies to enhance your experience. By continuing, you agree to our use of cookies. Learn more here.