The National Privacy Commission on Saturday said it has ordered Cathay Pacific Airways to address issues concerning a data breach involving personal information of 100,000 Filipinos, more than 35,000 exposed Philippine passport numbers, and over 100 exposed credit card numbers.
In its report submitted to the NPC on October 25, Cathay Pacific said that on March 13 it noted a "suspicious activity" on its network, and commenced an internal investigation with the assistance of a cybersecurity firm.
On May 7, the airline's forensics investigators confirmed an unauthorized access to some of its information systems.
Cathay was able to determine the data accessed or ex-filtrated by still unknown individuals.
The affected information included the personal data of passengers of Cathay and Hong Kong Dragon Airlines Ltd., the personal data of members of Cathay’s frequent flyer program and Asia Miles.
"Among those fields taken were passenger name; nationality, date of birth, phone number, e-mail, credit card number, address, passport number, identity card number, frequent flyer membership number, customer service remarks, and historical travel information," according to Cathay Pacific's report submitted to the NPC.
"No travel or loyalty profile was accessed in full, and no passwords were compromised," it said.
Citing Cathay Pacific's report, the NPC said the airline “very recently” determined the Philippine nationality of those compromised in the said cyber attack through Philippine passport details, or where other personal data in Cathay’s possession contained a Philippine address or telephone number.
From Cathay Pacific's analysis, some 102,209 Philippine data subjects had their data compromised, roughly 35,700 passport numbers from the Philippines were exposed, and there were 144 credit card numbers exposed.
But the NPC said the airline management failed to report the data breach immediately after it was confirmed.
"There appears to be a failure on the part of Cathay to report to this Commission what it knew about the data breach at the time it confirmed unauthorized access, and what the affected data fields are. Cathay’s term, 'very recently,' does not establish any timeline through which we may determine the timeliness of the report dated 25 October 2018," the NPC said.
The Privacy commission said a notification to the agency must be made upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred, within 72 hours from such knowledge.
"For a full appreciation of the circumstances surrounding this report, and the data breach that it describes, it is necessary to require Cathay to explain, in writing, why Cathay and its responsible officers should not be prosecuted under the provisions of the Data Privacy Act of 2012 for Concealment of Security Breaches Involving Sensitive Personal Information," the NPC said.
The Privacy commission has given Cathay Pacific 10 days to explain why the NPC should overcome the presumption that there has been a failure to timely notify the agency about the occurrence of a data breach requiring such timely notification giving rise to criminal liability on the part of the responsible officers of Cathay.
The airline was also ordered to submit within five days further information on the measures taken to address the breach. —Ted Cordero/LBG, GMA News