
Cathay Pacific data hack hits 9.4M passengers - scaryclam
https://www.bbc.co.uk/news/business-45974020
======
dang
[https://news.ycombinator.com/item?id=18297608](https://news.ycombinator.com/item?id=18297608)

------
reallymental
So what happens with all this data?

I'm willing to bet some of it is pretty critical[valid credit card details?],
it might end up in the Dark Web, auctioned off or something like that.

Some of it is useless (not valid anymore, or just junk emails used to sign
up).

Cathay doesn't tell us what else has been leaked (or they don't know), but
what if there's a team on the other end of the hacks that actually analyses
the meta data of these hacks, and finds out the frequency of movement of some
people, and add that to their 'alpha' ?

~~~
sbuk
Could contain more than just CC details; I'd be worried about passport
numbers.

------
raesene9
I do wonder when/if companies will move wholesale to avoiding security
mechanisms that rely on the secrecy of particular pieces of static information
(e.g. passport numbers, Social Security Numbers (In the US)) etc.

The number of breaches of personal data now mean that in many/most cases an
assumption that only a person knows something about them is extremely unlikely
to hold across a large userbase.

Of course you then fall back to "how do you validate that someone is who they
say they are" and probably things like biometrics, and/or other forms of 2FA
will need to feature.

------
verytrivial
"The company has no evidence that any personal information has been misused."
Yeah? Well my dog has no evidence of these details being misused either, but I
would still trust his opinion over Cathay's on this topic.

Edit: "If my personal information was accessed, how might I be affected?

We are very sorry for any concern that this may cause you."

So .. please change your passport number, birthday and previous travel history
if you are still concerned?

So infuriating. The people who SHOULD be impact by this are Cathay Pacific
share holders and senior management, whom should get a rinsing due to fines.

------
graystevens
It is unclear from any reporting as to how this technically happened, which is
a shame but hopefully that will be made public in the coming days. Some other
outlets[0] have an interesting statement:

> _The breach also included details about where each passenger had traveled
> and any comments made by customer service representatives. The amount of
> data accessed varied among passengers._

Based on those details, and the mention of 'no passwords were compromised',
chances are this breach has come from an internal helpdesk type system, or
possibly CRM. If however the statement around the passwords changes, that
opens up a few other possibilities.

What this doesn't sound like, are the attacks we saw on British Airways[1] and
Ticketmaster[2], where javascript was injected into the payment pages to
vacuum up payment details from customers.

The statement around "The company has no evidence that any personal
information has been misused" is always an interesting one, and is one of the
many reasons I created my startup Breach Insider[3], so that data breaches
like this could be detected much sooner (not 7 months later, as we have seen
here), with minimal false positive alerts, and definitive evidence if any data
has been misused. By using real email addresses that are unique to each
company/business, you can be sure to find out if that data ever leaks & is
abused for things like spam or phishing.

[0] [https://www.theverge.com/2018/10/24/18019958/cathay-
pacific-...](https://www.theverge.com/2018/10/24/18019958/cathay-pacific-
airline-data-breach)

[1] [https://www.britishairways.com/en-
gb/information/incident/da...](https://www.britishairways.com/en-
gb/information/incident/data-theft/latest-information#)

[2] [https://www.riskiq.com/blog/labs/magecart-ticketmaster-
breac...](https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/)

[3] [https://breachinsider.com](https://breachinsider.com)

