Cathay Pacific waited six months before disclosing the security breach
13.11.2018 securityaffairs

Cathay Pacific has admitted that it was under attack for three months and it took six months to disclose the data breach.
At the end of October, Cathay Pacific Airways Limited, the flag carrier of Hong Kong, announced that had suffered a major data breach affecting up to 9.4 million passengers.

Exposed data includes passport numbers, identity card numbers, email addresses, and credit card details were accessed, information exposed varies for each affected passenger.

The IT staff at Cathay discovered an unauthorized access of systems containing the passenger data of up 9.4 million people. Hackers also accessed 403 expired credit card numbers and twenty-seven credit card numbers with no CVV were accessed.

Cathay Pacific notified the incident to local police and legislators, it also set up a website for customers want to know if their personal data may have been exposed.

Now Cathay Pacific has admitted that it was under attack for three months and it took six months to disclose the data breach.

In the official statement released by the airline, the company declared it had detected “suspicious activity” earlier March 2018.

A written submission by Cathay Pacific Airways Limited to Hong Kong’s Legco reveals the company confirmed to be aware that in March it was under a full-scale attack on its servers. The attacks continued during the investigation, for three months the company was under siege.

“During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention. “reads the written submission.

“Remediation activities began as part of this effort and continued throughout. Even as the number of successful attacks diminished, we remained concerned that new attacks could be mounted.”

Cathay Pacific

Of course, experts have challenged the company to have kept the security breach hidden for six long months exposing its customers to further risks depending on the nature of the data exposed.

“During the second phase[confirming on which data had been accessed], the two big issues were: which passenger data had been accessed or exfiltrated and, since the affected databases were only partially accessed, whether the data in question could be reconstructed outside Cathay’s IT systems in a readable format useable to the attacker(s).” continues the submission.

“Conclusions on these issues proved difficult and time-consuming and were only reached in mid-August.”

The company explained that it spent a lot of time to reconstruct for every single user which data was accessed.