Date
21 November 2018
Cathay Pacific needs to expand its IT team, among other measures, to address concerns related to data security in the wake of the recent incident where data on 9.4 million passengers was exposed, says IT expert Eric Fan. Photos: HKEJ, Reuters
Cathay Pacific needs to expand its IT team, among other measures, to address concerns related to data security in the wake of the recent incident where data on 9.4 million passengers was exposed, says IT expert Eric Fan. Photos: HKEJ, Reuters

How Hong Kong can fix data security vulnerability

Data security and privacy has become a major talking point in Hong Kong in the wake of a slew of disturbing news in the recent past in relation to the issue, including the latest incident pertaining to the city’s flag carrier, Cathay Pacific Airways, where a data breach exposed the personal information of up to 9.4 million passengers.

The Hong Kong Economic Journal recently sat down with Eric Fan Kin-man, a senior office-bearer at the Hong Kong Information Technology Federation, to discuss the issue and obtain his views on how the city, and the public in general, can fix cybersecurity vulnerability.

HKEJ: What are your thoughts on the recent Cathay Pacific data breach?

Fan: From what the company told the public, we learned that the passenger information has been improperly accessed, but there is no evidence that any passenger has had his or her travel information leaked totally. It is hard to understand. I think the data leak may have nothing to do with hacking; the incident could be a result of a system failure within the company.

However, the incident occurred in March this year and was only announced in late October, which means it has been kept from the public for seven months. Moreover, the company did not notify the incident to Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD). As a listed company in Hong Kong, Cathay has shown limited responsibility and accountability on customer data protection.

Also, with the 9.4 million passengers involved in the incident, will the company be subject to the European Union’s General Data Protection Regulations (GDPR), which takes effect on May 25? That’s a question to ask.

An organization in breach of GDPR laws will be fined up to 4 percent of annual global turnover or 20 million euros (US$24.6 million), whichever is bigger. For companies making billions in turnover, this could mean a big hit if they were to breach any rules.

Q: Moving forward, what measures do you think the airline can take to enhance customer data security?

A: We have seen Cathay Pacific has laid off a large number of IT staff in recent years in order to cut costs, and there is no IT director in the company. I believe it is imperative for the airline to expand its IT team, which would be helpful in reshaping the corporate image in the long run.

Q: Last month, the Hong Kong Monetary Authority (HKMA) received reports of fraudulent use of the Faster Payment System (FPS) it launched in September. What should the operators, as well as citizens, do in response to the data exposure risk?

A: The process of opening an e-wallet account is relatively simple; there is a fraud risk if fraudsters get the personal information, say personal ID, and address.

For the FPS, as it is integrated in different digital banking and e-wallet platforms, it is necessary for the operator of FPS to consider the vulnerability of each platform and system linked. Authorities and corporates must carefully consider the data security risk when designing mobile applications.

Q: The Hong Kong Tourism Board (HKTB) recently cancelled light shows by drones at an annual festival apparently due to deliberate radio signal interference. How does that happen?

A: As far as I learn, it only takes a single interference device, which is available in online marketplaces, to jam the wireless transmission system and GPS positioning signal of the drones, and that could make the drones unable to fly.

Q: We have seen many companies adopting the above new technologies and equipment. How should the government and enterprises prepare for the upcoming trend?

A: I believe in the future, we will be able to use all kinds of new technologies to receive various information and data. I would suggest the Hong Kong government adopt more stringent controls on the import of those new technology devices, say, a user identity verification procedure, to protect the safety of the public.

This article appeared in the Hong Kong Economic Journal on Nov 9

Translation by Ben Ng with additional reporting

[Chinese version 中文版]

– Contact us at [email protected]

BN/RC

Hong Kong Economic Journal

EJI Weekly Newsletter

Please click here to unsubscribe