MANILA, Philippines – Over 100,000 Filipinos were affected by the Cathay Pacific Airways data breach that happened in March, the Hong Kong airline said in a report to the Philippines’ National Privacy Commission (NPC).
The NPC cited the airlines’ findings in an order directing Cathay to explain why the commission should not prosecute its concerned officers for reporting a data breach in its system several months after the incident happened.
NPC released the October 29 order to the media on Saturday, November 10.
The airline announced on October 24 that it had suffered a major data leak affecting up to 9.4 million passengers. It admitted that data including passport numbers, identity card numbers, email addresses, and credit card details had been accessed.
The NPC said in its order that based on the Cathay report to the commission, the airline “determined the Philippine nationality of those compromised in the attack through Philippine passport details, or where other personal data in Cathay’s possession contained a Philippine address or telephone number.”
The NPC said Cathay’s analysis in terms of the data breach affecting Philippine passengers are as follows:
Through lawyer Pericles Casuela, Cathay reported to the NPC, among others, varying degrees of exposure of each data subject.
"Among those fields taken were passenger name; nationality, date of birth, phone number, e-mail, credit card number, address, passport number, identity card number, frequent flyer membership number, customer service remarks, and historical travel information," the NPC said, citing the Cathay report.
Cathay also informed NPC that "no travel or loyalty profile was accessed in full, and no passwords were compromised."
In its order, NPC directed Cathay to:
1. EXPLAIN within ten (10) days why Cathay should have this Commission overcome the presumption that there has been a failure to timely notify this Commission about the occurrence of a data breach requiring such timely notification giving rise to criminal liability on the part of the responsible officers of Cathay; and 2. SUBMIT within five (5) days further information on the measures taken to address the breach.
"For a full appreciation of the circumstances surrounding this report, and the data breach that it describes, it is necessary to require Cathay to explain, in writing, why Cathay and its responsible officers should not be prosecuted under the provisions of the Data Privacy Act of 2012 for Concealment of Security Breaches Involving Sensitive Personal Information," the NPC said.
The NPC noted that Cathay submitted the data breach report to the commission only on October 25, or months after the incident was detected on March 13, and confirmed on May 7.
It stressed that under Philippine law, such data breach should have been reported to the NPC within 72 hours of "knowledge" of the incident.
"The failure to report such a data breach in a timely manner may require this Commission to fulfill its mandate to ensure compliance of personal information controllers with the provisions of the Data Privacy Act. Philippine law imposes criminal liability on persons who, after having knowledge of a security breach and of the obligation to notify the Commission under Philippine law, intentionally or by omission conceals the fact of such security breach," the NPC said.
"On the surface, there appears to be a failure on the part of Cathay to report to this Commission what it knew about the data breach at the time it confirmed unauthorized access, and what the affected data fields are," it added.
It also said Cathay's personal information controllers "also need to explain the remediation measures taken following a data breach in a mandatory report."
"On the face of the report, Cathay’s measures that have 'enhanced the security and monitoring with its environment' and 'working with [Mandiant], as well as other cybersecurity experts, to implement measures to prevent future unauthorized access to its systems and databases, as well as further enhance its IT security generally' does not meet required specificity required of notifications to this Commission," the NPC said.
Read the full order here: