Cathay Pacific is the latest to suffer a large scale data breach. The attackers were able to gain ‘unauthorized access’ to passenger data for up to 9.4 million people. The following data was accessed (emphasis ours):
- passenger name;
- nationality;
- date of birth;
- phone number;
- email;
- address;
- passport number;
- identity card number;
- frequent flyer programme membership number;
- customer service remarks; and
- historical travel information.
A small amount (403) expired credit card numbers were also accessed along with twenty-seven credit card numbers with no CVV. What makes matters worse is that Cathay Pacific first detected suspicious activity in March and then confirmed that unauthorized access was used to obtain the sensitive personal information listed above. Why has it taken almost half a year for customers to be notified? Cathay Pacific have stated they will be notifying affected customers by multiple communication channels.
I’ve said it before and I’ll say it again, until the penalties for data breaches are increased corporations will fail to adequately invest in cyber security. The individual damage that can be done by a data breach cannot be understated and it’s time for regulators to move to increase the penalties.
