Experts and lawmakers urged the government to strengthen regulations on personal data protection and called for more stiffer punishment for violators after Cathay Pacific Airways reported a massive data breach of its computer system seven months after it occurred.
Privacy Commissioner for Personal Data Stephen Wong Kai-yi said it was difficult to accept that Cathay held back on informing customers about the data leak for so long, although he acknowledged there was no legal requirement for the airline to report the incident immediately.
Lawmaker Elizabeth Quat Pui-fan, who chairs the Legislative Council’s Panel on Information Technology and Broadcasting, stressed the need to revise existing regulations on online privacy as they are outdated and lack sufficient deterrent effect, the Hong Kong Economic Journal reports.
Given the current situation, the Office of the Privacy Commissioner for Personal Data is like a “toothless tiger”, Quat said.
Cathay revealed on Tuesday that it discovered suspicious activity on its computer network as early March and confirmed in early May that some personal data of its customers were accessed with no authorization.
The data included passenger name, nationality, date of birth, phone number, email, physical addresses, passport number, identity card number, frequent flyer program membership number, customer service remarks, and historical travel information, along with the numbers of hundreds of credit cards.
Paul Loo Kar-pui, Cathay’s chief customer and commercial officer, sought to explain the long delay by saying that the airline wanted to avoid introducing unnecessary panic among its customers and had to spend more time to find out what really happened.
Cathay chief executive Rupert Hogg on Thursday evening issued an apology for the massive data leak.
“Upon discovery, we acted immediately to contain the event and thoroughly investigate. We engaged one of the world’s leading cybersecurity firms to assist us and we further strengthened our IT security measures too,” Hogg said in a video posted on the airline’s official website.
“We have no evidence that any personal data has been misused,” Hogg said.
Nonetheless, Cathay offered free identity monitoring service for 12 months for affected passengers. The service will monitor if a passenger’s personal data is available on public websites, social media platforms and other places on their internet.
“Once again, I am truly sorry for the concern this may have caused you,” the airline’s CEO said.
Cathay is likely to escape punishment from the government as current regulations only ask a company to report data leakage on a voluntary basis.
A lawyer also said the airline may not be held liable under the European Union’s General Data Protection Regulation (GDPR).
Under the GDPR, which took effect on May 25 this year, all companies in the world are subject to its rules as long as they hold personal information of EU citizens, suggesting Cathay, which operates multiple routes to Europe, is included.
The GDPR requires a company to report within 72 hours after having become aware of a personal data leakage breach, otherwise, it will be fined up to 20 million euros (US$22.74 million) or 4 percent of its global turnover, whichever is higher.
Barrister Craig Choy Ki, who is also convenor of Progressive Lawyers Group, said whether Cathay will end up being fined by EU depends on whether the data breach incident took place in March only or there were other similar leaks after the GDPR took effect.
Cathay did not immediately respond to HKEJ requests for comments about a possible violation of the new EU law.
Lawmaker Charles Mok Nai-kwong, who represents the information technology functional constituency, said he does not rule out the possibility that the incident could be linked to the mass layoff of the airline’s IT staff last year.
More than 100 personnel from its IT department were terminated last year as part of the airline’s efforts to turn a profit.
– Contact us at [email protected]