Thursday Nov 28, 2024
Wednesday, 7 November 2018 01:11 - - {{hitsCtrl.values.hits}}
HONG KONG (Reuters): Hong Kong’s privacy commissioner will launch a compliance investigation into Cathay Pacific Airways over a data breach involving 9.4 million passengers, saying the carrier may have violated privacy rules.
The airline has faced criticism for the seven-month delay in its October revelation of the breach in the data, which it said had been accessed without authorisation, following suspicious activity in its network in March.
“There are reasonable grounds to believe there may be a contravention of a requirement under the law,” Hong Kong’s Privacy Commissioner for Personal Data, Stephen Wong, said in a statement.
“The compliance investigation is going to examine in detail, amongst others, the security measures taken by Cathay Pacific to safeguard its customers’ personal data and the airline’s data retention policy and practice,” he added.
It will also cover Cathay’s fully owned subsidiary, Hong Kong Dragon Airlines Ltd., or Dragon Air, some of whose passengers were affected by the breach.
Cathay made no immediate response to Reuters’ email request for comment on the investigation. Telephone calls went unanswered.
The privacy watchdog said it had received 89 complaints related to the cyber leak.
In addition to 860,000 passport numbers and about 245,000 Hong Kong identity card numbers, the hackers accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV), Cathay said.
It was not immediately clear who was behind the personal data breach or what the information might be used for, but Cathay said there was no evidence so far that any personal information had been misused.
Under Hong Kong law, the privacy commissioner can call witnesses, enter premises and hold public hearings in the investigation, which will check if Cathay violated any requirement of the Personal Data (Privacy) Ordinance.
The controversy has spurred calls from politicians and privacy advocates for Hong Kong to revamp its laws to make the reporting of such potential data breaches mandatory.