(Eagle News) – The National Privacy Commission is alarmed regarding the data breach involving 102,209 Philippine passengers of Cathay Pacific Airways whose sensitive data information including credit card details and passport information had been breached since March this year.
Cathay Airways only notified the NPC about this data breach on October 25, prompting the Commission to issue an order asking the airline company to explain why it failed to immediately or “timely notify” the government about this data breach that could result in the “criminal liability on the part of the responsible officers of Cathay.”
-Order to explain-
In an order dated Oct. 29, NPC asked Cathay to “explain within 10 days.” It also ordered the airline company to “submit within five days further information on the measures to address the breach.”
It said such data breaches should have been reported to the Commission within 72 hours upon discovery.
The order to Cathay was signed by Francis Euston Acero, division chief of the Complaints and Investigation Division of NPC, and Gilbert Santos, director IV of the NPC’s Legal and Enforcement Office.
According to the NPC, it only received a notification from Cahay, specifically from Atty. Pericles Casuela, about the data breach report acknowledging that it was on March 13 this year that Cathay noted “suspicious activity on its network” that prompted it to start an “internal investigation with the assistance of Mandiant, a cybersecurity firm.”
“On 7 May 2018, Cathay’s forensic investigators confirmed unauthorized access to some information systems within Cathay,” the notification read.
“At some point, Cathay was able to determine the data accessed or exfiltrated by still unknown individuals.”
-Cathay: Data exposure of each subject varies-
“The personal data of passengers of Cathay and Hong Kong Dragon Airlines Ltd. were affected. The personal data of members of Cathay’s frequent flyer program, Asia Miles (managed and operated by Cathay’s wholly owned subsidiary, Asia Miles Ltd.), were also affected,” the notification read.
Cathay said that the “exposure of each data subject varies.”
“Among those fields taken were passenger name, nationality, date of birth, phone number, e-mail, credit card number, address, passport number, identity card number, frequent flyer membership number, customer service remarks, and historical travel information.”
Cathay said that “no travel or loyalty profile was accessed in full, and no passwords were compromised.”
The NPC said that based on Cathay’s report, the airline company claimed it had “’very recently’ determined the Philippine nationality of those compromised in the attack through Philippine passport details, or where other personal data in Cathay’s possession contained a Philippine address or telephone number.”
Cathay’s analysis showed that “some 102,209 Philippine data subjects had their data compromised.”
“Roughly 35,700 passport numbers from the Philippines were exposed. There were 144 credit card numbers exposed,” it said.
The NPC explained that “under Philippine law, notification to this Commission and to the data subjects of the existence of a data breach becomes mandatory when: (a) what is involved is data that is classified as sensitive personal information or information that can be used to enable identity fraud; (b) there is reason to believe that this information is in the hands of an unauthorized person; and (c) there is real risk of serious harm to the data subject.”
“This section applies especially when what is involved is data that is about the financial or economic situation of the data subject, including but not limited to licenses with unique identifiers.”
The NPC said that Cathay should have informed the Commission about this sensitive data breach “within 72 hours from such knowledge.”
-NPC: Failure to timely notify gov’t, violation of PHL law-
“The law also provides that when there is a failure to notify this Commission, or when the Commission determines that there is an unreasonable delay to the notification, there is a presumption that there is a failure to notify,” the NPC said.
“When such a failure or delay exists, this Commission may investigate further the circumstances surrounding the data breach, including the failure to report or any undue delay,” it said.
It reminded Cathay that Philippine law “imposes criminal liability on persons who, after having knowledge of a security breach and of the obligation to notify the Commission under Philippine law, intentionally or by omission conceals the fact os such security breach.”
“On the surface, there appears to be a failure on the part of Cathay to report to this Commission what it knew about the data breach at the time it confirmed unauthorized access, and what the affected data fields are,” it said.
“”Cathay’s term ‘very recently’, does not establish any timeline through which we may determine the timeliness of the report dated October 25, 2018,” the NPC added.
The Commission also said that on the face of Cathay’s report to the NPC, that it had instituted measures to enhance “the security and monitoring within its environment” and that it is working to “prevent future unauthorized access to its systems and databases” was not enough.
The NPC said that this did “not meet (the) required specificity required of notifications to this Commission.”
https://youtu.be/OQFtZbY7TdA
