In this photo, taken on March 15, 2017, Cathay Pacific employees work at their counters at the international airport in Hong Kong. (Photo by ANTHONY WALLACE / AFP)
Updated @ 11:40, Nov. 10, 2018
The personal data of over 100,000 Filipinos, including passport and credit card information, were compromised in a data breach at Hong Kong flag carrier Cathay Pacific Airways earlier this year.
The National Privacy Commission (NPC) said the data breach was first detected in March and confirmed in May this year, but Cathay Pacific informed the NPC only on Oct. 25 that Filipinos were affected.
“Among those fields taken were passenger name, nationality, date of birth, phone number, e-mail, credit card number, address, passport number, identity card number, frequent flyer membership number, customer service remarks and historical travel information,” the NPC said.
102,209 affected
The agency said a total of 102,209 Filipinos were affected in the data breach and the information in 35,700 passports and 144 credit cards were likely compromised.
The extent of the data compromised varies for each person, but it was a breach that involved 9.4 million passengers worldwide, Cathay Pacific said.
While the breach was found months earlier, the company claimed that it only determined “very recently” that Filipinos were also affected, the NPC said, citing the Cathay Pacific report.
Apparent failure to report
“On the surface, there appears to be a failure on the part of Cathay to report to this commission what it knew about the data breach at the time it confirmed unauthorized access, and what the affected data fields are,” the NPC said in an order dated Oct. 29 but released only on Saturday.
Under the country’s Data Privacy Law, a company or agency needs to notify the NPC within 72 hours Cathay Pacific learned or even reasonably suspected that a data breach happened.
Show cause order
This notification is mandatory if the data could be used to enable data fraud, if it’s in the wrong hands, and if there’s a real serious harm to the person, the NPC said.
Moreover, mandatory notification applies especially if the data is about the financial or economic situation of the person.
The NPC has ordered the airline to explain why it should not be prosecuted under the Data Privacy Act, which imposes criminal liability for the failure to notify.
The NPC asked the company to explain within 10 days why the airline should not be presumed to have failed to notify, which could make company officials criminally liable.
The NPC also told the company to submit within five days further information on measures that have been taken to address the breach.
Hong Kong also involved
Francis Acero, NPC division chief for complaints and investigations, told the Inquirer the airline would be given sufficient time to respond.
“[But] we don’t know when they received [the order]. We’ll let the process take its course,” he said.
Aside from the NPC, the Hong Kong government is also demanding more answers from the airline.
The Hong Kong government expressed on Oct. 26 its serious concern about the incident and ordered the airline to cooperate with its privacy agency.
The airline came under fire from the Office of the Privacy Commissioner for Personal Data, for not disclosing the problem until more than half a year later, according to the South China Morning Post.
The newspapers quoted the airline as saying that it would “cooperate fully with authorities” and that it was in the process of contacting affected passengers. /atm /pdi