In June, the aviation industry suffered one of the largest known data breaches in recent history when the personal data of 9.4 million Cathay Pacific passengers was compromised. Mark Parsons, Mark Lin and Byron Phillips from Hogan Lovells in Hong Kong unpick the lessons to be learnt
In June, the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued an enforcement notice against Cathay Pacific Airways (and its affiliate Hong Kong Dragon Airlines) after a data breach compromised the personal data of some 9.4 million customers.
The enforcement notice concerned two aspects of the Personal Data (Privacy) Ordinance (PDPO):
- data security: an organisation must take steps to ensure that personal data is protected against unauthorised access; and
- data retention: an organisation must take steps to ensure that personal data is kept no longer than necessary to fulfill the purposes for which it has been lawfully collected.
The enforcement notice raises key practical compliance points for those assessing and managing data security risk:
- an organisation’s failure to have completed a data inventory could amount to a breach of the PDPO;
- multi-factor authentication may now be a requirement under the PDPO for remote access to personal data by company employees; and
- PDPO compliance may require organisations to take appropriate professional advice on information security matters and ensure that best practices are being followed.
Further, because of the scale of the Cathay Pacific data breach, as well as the lapse of time between discovery and reporting (see below), there is speculation that Hong Kong may introduce a mandatory data breach notification obligation to the PDPO.
Comprehensive mandatory data breach notification obligations already exist in Australia, the Philippines, Taiwan and South Korea, with Singapore likely to adopt this soon. The PCPD encourages breach notification, but as in China and Japan, this remains a recommended best practice rather than a mandatory requirement.
The decision may also support class action civil suits in some jurisdictions and rekindle the debate about Hong Kong’s stalled efforts to create a class action regime.
The Cathay Pacific breach related to more than one vulnerability in the airline’s systems and probably involved more than one party. It had also been under way for some time before being detected, and concerned some 9.4 million individuals from over 260 jurisdictions.
The attacks affected four systems: the customer loyalty system, a shared back-end database used to support web-based applications, a reporting tool that extracted and complied data from other databases, and a database used to allow customers to redeem non-air rewards through the Asia Miles loyalty scheme.
The airline notified the PCPD of the breach on 24 October 2018 and started notifying affected people the next day.
The PCPD’s conclusions
There is currently no mandatory breach notification requirement in the PDPO. The PCPD’s investigation therefore focused primarily on Cathay Pacific’s compliance with its data security and retention obligations.
In respect of data security, the PCPD came to the following conclusions:
- A vulnerability scan of the internet-facing server Cathay Pacific carried out in 2017 had not detected the critical vulnerability, even though: details of this vulnerability had been widely published since 2007 and so was well known to the industry at this time, and the airline’s scanning tool was equipped in 2013 to detect this vulnerability.
- The annual scan of the internet-facing server was insufficiently frequent.
- The administrator console was accessible externally rather than limited to internal network access, which was deemed deficient.
- Before spotting the vulnerability, only Cathay Pacific’s IT support teams had to use multi-factor authentication to access internal systems remotely (an oversight remedied in July, 2018).
- Database back-up files used to support database migrations carried out between 2016 and 2018 were not encrypted.
- A personal data inventory was not started until August 2017, but in any event this exercise had not completed when the breach was discovered.
Based on these points, the PCPD found that Cathay Pacific had breached the DPDO.
As to data retention, notwithstanding policies around deletion of data, Cathay Pacific was found to have retained about 240,000 Hong Kong identification card numbers for 13 years after stopping using this data to verify identities. This unnecessary retention breached the PDPO.
As to the delay in notification, Cathay Pacific notified the PCPD of the security breaches on 24 October 2018 and started notifying affected data subjects the next day - seven months after the initial attack and five months after its internal investigations detected unauthorised access.
The PCPD found that Cathay could have made its notification sooner, although this delay did not in itself breach the PDPO.
What happens now?
According to the enforcement notice, Cathay Pacific should:
- engage an independent data security expert to overhaul the systems containing personal data to ensure that systems are free from malware and known vulnerabilities;
- implement effective multi-factor authentication for all remote users of its systems and undertake regular reviews of remote access privileges;
- implement an appropriate vulnerability scanning program;
- engage a data security expert to conduct regular reviews on the security of its networks;
- devise, implement and enforce a clear data retention policy;
- provide the PCPD with documentary proof of compliance of items 1 through 5 within six months of the date of the enforcement notice; and
- erase all unnecessary Hong Kong identity card data from its loyalty program systems and provide independent third-party certification of this having been done within three months from the date of the enforcement notice.
The PCPD noted the increasing risks posed by data security breaches and recommended that organisations redouble efforts to be accountable for personal data, including efforts by the PCPD to ensure that data protection is a matter of high-level governance within organisations (and not just within their IT departments), including as recommended through the PCPD’s Privacy Management Programm e.
The spotlight on Cathay Pacific continues, information having recently surfaced of its practice of recording passenger activity through its in-flight entertainment system, including collecting images of passengers.
Proper internal controls needed
In a world where organisations obtain, retain and process more and more personal data, and cyber attacks become increasingly sophisticated and difficult to combat, there are clearly lessons to be learned from the Cathay Pacific breach. The sheer scale of the breach shows how badly things can go wrong without proper internal controls and the PCPD has been at great pains to point out where Cathay Pacific fell short and what an effective data security policy should look like.
Cathay Pacific is by no means alone. Both Marriott and British Airways have recently received significant fines related to substantial data breaches and, sadly, they will not be the last.
Managing the risk of cyber incidents
- Know your risk profile - identify internal and external factors that make the company susceptible to a data breach.
- Develop internal and external monitoring systems to detect a cyber incident early.
- Deploy regular data breach prevention, procedure and protocol training to key stakeholders.
- Conduct regular security risk assessments.
- Create a cyber incident response team.
- Prepare internal and external communication channels/strategy, including social media control strategy.
- Devise business continuity plan.
- Prepare an internal cyber incident response plan outlining the above.
A question of class (actions)
Specialist class action lawyers in the US and Europe have been readying themselves for mass claims against Cathay Pacific since the data breach was announced – the PCPD’s findings will only add fuel to that fire.
This case will also, no doubt, reignite the discourse around whether Hong Kong should implement a class action regime for consumer cases.
In 2012, the Law Reform Commission of Hong Kong (the LRC) recommended the introduction, under an incremental approach, of a class action regime, following which the Department of Justice created a cross-sector working group.
The working group’s current view is that more in-depth analysis is needed, including of the proposed definition of “consumer cases”, certification criteria for a class action to be adopted by the courts, the design of the procedural rules and other ancillary measures.
A draft public consultation is said to be in development, although there is no timetable for its completion yet.
It is unsurprising that the Department of Justice is taking its time: there are competing public policy considerations. A class action regime would likely enhance access to justice and provide an efficient (and faster) mechanism for dealing with consumer cases. However, there is a concern about inadvertently creating a more litigious society, such as in the US. The LRC’s recommendation of an incremental approach was designed to ameliorate the risk of the latter but the concern is real.
This is definitely a space to watch. From our experience defending class actions in the US and elsewhere, any move towards a similar regime would significantly alter Hong Kong’s legal landscape. Whether that is for the better or not remains to be seen.