
Cathay Pacific flags data breach affecting 9.4M passengers - sexy_seedbox
https://www.reuters.com/article/us-cathay-pacific-cyber/cathay-pacific-flags-data-breach-affecting-94-million-passengers-idUSKCN1MY26L
======
jwr
I wonder how long until companies start regarding customer data as a liability
(and a risky one at that), rather than an asset.

~~~
ruskerdax
To my knowledge there are very few negative consequences, outside of the
immediate and obvious ones like reputation, that actually occur when companies
leak customer data. I suspect they won't regard keeping vast troves of
customer data as a liability until that changes.

~~~
awill
Just look at Facebook. How many people have deleted their accounts...

~~~
ruskerdax
I strongly suspect the amount of money Facebook makes utilizing that data
greatly outweighs the cost incurred by the "customers" they've lost as a
result of poor data handling.

------
ryandrake
Interesting how it’s always worded in a way that frames the negligent company
as the victim instead of the customers whose data was exfiltrated: “Company X
was attacked by hackers,” “Company Y was the victim of a data breach.” Its
never: “Company Z failed to secure customers’ information.”

~~~
dx87
I used to do contract pentesting for a big fortune 500 company, and they were
able to cut all kinds of security corners because they knew people would
perceive them as the victim. The person running our contract at the company
said that the people making budget decisions know that at worst there'll be a
small stock dip for 1-2 days in the event of a compromise, so they said it's
not worth the money to actually have good security because the general public
will just see the headlines and consider the company the equivalent of a
robbery victim.

~~~
TheSpiceIsLife
When people say _there are no consequences for the company yadda yadda yadda_
what they neglect to also mention is that, typically, there are no
consequences for those affected either.

If the _one billion_ odd people affected by major data breaches since 2005¹
all experienced some significant difficulty as a result, we could probably
expect a louder outcry and subsequent changes in behaviour by those we
entrust(?) our personal identifying information to.

I've been online since well before 2005, and the worst I've experience is one
debit card being cancelled due to a failed fraudulent transaction attempt ~10
years ago, and ~2 months ago a successful fraudulent transaction of AU$13.36
which I noticed immediately (thanks mobile banking app notifications), which
resulted in the me calling and cancelling the card and the charge being
reversed.

Of course, we're all paying more in fees due to insurance against such events,
but that appears to be an inconvenience that most people simply don't rate.

1\.
[https://news.ycombinator.com/item?id=18297966](https://news.ycombinator.com/item?id=18297966)

------
TheSpiceIsLife
So, I just glanced through this¹ Wikipedia entry and quickly added up all the
numbers in the yearly lists of major data breaches and came up with this
number:

929 million users / customers affected by _major_ data breaches since 2005.

There's probably at least some / a whole lot of overlap in some, but still...

Thusly, it'd be unusual if any particular individual hasn't had at least some
of their identity go astray.

1\.
[https://en.wikipedia.org/wiki/Data_breach](https://en.wikipedia.org/wiki/Data_breach)

~~~
Area12
Seriously, check out Troy Hunt's Have I Been Pwned?

[https://haveibeenpwned.com/PwnedWebsites](https://haveibeenpwned.com/PwnedWebsites)

------
nicolas_t
Just realized that with the information leaked (passport number , birthday,
name and asiamiles/MPC number), it would be enough to do the phone
verification with them and redeem miles from the account. So, not having
leaked passwords is really not that much of an achievement.

------
syntaxing
I'm curious how this is going to be handled by the HK government. Hong Kong
does have a privacy bureau (PCPD) but I am not sure what their jurisdiction is
and what litigation weapons they have.

That being said, Cathay Pacific has been really going downhill these past
couple of years. Not surprised that their IT side of things are effected as
well.

------
tzhenghao
I don't know why, this reminds me of Singapore Airline's account login/signup
flow. It's cringy to think that the only allow 6 numbers for their password
field. Yes, in 2018!

~~~
markdown
My bank (Westpac) only allows 6 alphanumeric characters in their passwords.

~~~
samtoday
Westpac's interface is quite funny. Only very recently did they allow pasting
passwords from a password manager, previously you had to use an on screen
keyboard (presumably to stop keyloggers).

On that note; any recommendations for Aussie banks that have a secure and
modern interface?

~~~
jen729w
Westpac customer here. If you just need basic banking, you can’t beat ING.
They still have a dumb type-a-PIN-by-pressing-buttons login screen, and the
customer ID field doesn’t accept pasted data, but other than that I love them.
No fees, even on international transactions. Apple Pay if you want it.

~~~
toothbrush
I'd love to endorse ING, but i must say, their security really worries me. I'm
just putting this out there: you log in to internet banking with your
"customer number" which is printed on your bank card, and then you have
exactly 4-digit PIN you key in with their stupid on-screen keypad.

I love that they're relatively modern for Australian standards (fast payments,
no fees ever, basically) so i'd love to endorse them, but i, too, am on the
lookout for a replacement bank that has e.g. MFA with TOTP or a physical
challenge-response box like my otherwise overpriced ABN bank account gave me
back in 2002, in the Netherlands...

So i, too, am all ears for recommendations.

EDIT: and once you're in internet banking, you can willy nilly transfer cash
out if you either use a "saved address" (someone you've paid before) or you'd
need to hijack my mobile number. But $deity knows that's easy - just claim you
own a number and get it ported over to a new service no-questions-asked.
Facepalm, really.

------
0xmohit
It'd be good if there was a law that'd fine corporations for being unable to
protect user data.

Make the fine directly proportional to: number of people affected * bits of
leaked data for each user.

------
pandapower2
>data of about 9.4 million passengers of Cathay and its unit Hong Kong Dragon
Airlines Limited had been accessed without authorization.

>860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403
expired credit card numbers and 27 credit card numbers with no card
verification value (CVV) were accessed in the breach.

Those numbers don't seem to add up to anything close to 9.4 million. Feel like
I'm missing something.

~~~
Lazare
My assumption is a bunch of "less critical" info on ~8m pasengers was accessed
(phone numbers? names?), and then ~1m had passport or credit card numbers
leaked, and they itemised the "more important" ones explicitly.

It doesn't make a lot of sense however I parse it, but that's the only thing
that makes the numbers work.

------
graystevens
_Reposting from the other thread
at[https://news.ycombinator.com/item?id=18299015*](https://news.ycombinator.com/item?id=18299015*)

It is unclear from any reporting as to how this technically happened, which is
a shame but hopefully that will be made public in the coming days. Some other
outlets[0] have an interesting statement:

> _The breach also included details about where each passenger had traveled
> and any comments made by customer service representatives. The amount of
> data accessed varied among passengers.*

Based on those details, and the mention of 'no passwords were compromised',
chances are this breach has come from an internal helpdesk type system, or
possibly CRM. If however the statement around the passwords changes, that
opens up a few other possibilities.

What this doesn't sound like, are the attacks we saw on British Airways[1] and
Ticketmaster[2], where javascript was injected into the payment pages to
vacuum up payment details from customers.

The statement around "The company has no evidence that any personal
information has been misused" is always an interesting one, and is one of the
many reasons I created my startup Breach Insider[3], so that data breaches
like this could be detected much sooner (not 7 months later, as we have seen
here), with minimal false positive alerts, and definitive evidence if any data
has been misused. By using real email addresses that are unique to each
company/business, you can be sure to find out if that data ever leaks & is
abused for things like spam or phishing.

[0] [https://www.theverge.com/2018/10/24/18019958/cathay-
pacific-...](https://www.theverge.com/2018/10/24/18019958/cathay-pacific-
airline-data-breach)

[1] [https://www.britishairways.com/en-
gb/information/incident/da...](https://www.britishairways.com/en-
gb/information/incident/data-theft/latest-information#)

[2] [https://www.riskiq.com/blog/labs/magecart-ticketmaster-
breac...](https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/)

[3] [https://breachinsider.com](https://breachinsider.com)

------
kevcampb
One important thing to note.

PCCW the main local telco uses Hong Kong ID numbers as passwords by default,
or at least they used to do so. This means that this database contains
usernames and passwords in cleartext for a significant number of users who
have never changed their accounts.

~~~
slygent
Certainly not just PCCW: [https://webb-
site.com/dbpub/subject.asp?t=72](https://webb-site.com/dbpub/subject.asp?t=72)

------
throwaways123
Just got an email. My name and addressed was leaked from this breach. Even the
email they sent the message from has failed domain authentication. They have
become a joke to me.

------
lathiat
> Hogg said no passwords were compromised in the breach and the company was
> contacting affected passengers to give them information on how to protect
> themselves.

Well that's good! My precious password that can be easily changed wasn't
leaked!

> Cathay in a statement said accessed data includes names of passengers, their
> nationalities, dates of birth, telephone numbers, email and physical
> addresses, passport numbers, identity card numbers and historical travel
> information.

oh...

~~~
noobermin
I hear you. One issue is that most people use similar passwords for all their
services, which yes is problematic and a travesty but that's how it is.

So getting someone's name and personal information (that yes, can also be used
for identity theft) is not as bad as now having a list of names and passwords
to try to use on bank websites, for example.

~~~
nicolas_t
Passport number + date of birth and name is enough for a social engineering
attack against a lot of banks (hopefully they didn't like my credit card BIN
to make it extra helpful to identify my bank).

So my passport number leaking is personally much worse for me than if my
password leaked (which I'm very careful to protect).

~~~
jfaat
Do a lot of banks have access to your passport number and use that as
identifying info or is there another leg like passport -> ssn -> bank?

~~~
culturestate
If you live (and are opening a bank account) in a country other than your own,
your passport is one of the only ways to prove your identity for KYC. I had to
show both my HKID and my passport to get an account at HSBC, and I can use
either of them as ID at the teller window.

~~~
tacostakohashi
Sure, although in that case it's having a passport in your possession that
serves as ID, as distinct from merely knowing the number.

I suspect you might find that a different passport with a different number,
expiry date, or even nationality but the same name and date of birth would
work equally well.

~~~
culturestate
> I suspect you might find that a different passport with a different number,
> expiry date, or even nationality but the same name and date of birth would
> work equally well

Nope. All of the information must match, and they even (excruciatingly)
compare the signature in my passport to the one they have on file. At another
bank where I used only my HKID to open the account, I'm not permitted to use
my passport.

~~~
nicolas_t
Banks and signatures in HK, that's a true love story in itself. I've never
seen banks that are so obsessed with signatures and will reject documents
because the signature doesn't exactly match the one they have on file...

Which means you need to have a photo of any signature you register with a bank
there or later on forms you sign will be rejected.

