Cathay Pacific and Reading Between the Lines of Breach Reports
According to the statement, the airline first discovered suspicious access to its infrastructure in March 2018. It subsequently worked with an unnamed “leading” cyber security company to investigate the situation leading to final confirmation of unauthorized customer data access in May of 2018. In total, the datasets of 9.4 million users were affected by the breach. Accessed data includes “names of passengers, their nationalities, dates of birth, telephone numbers, email, physical addresses, passport numbers, identity card numbers, frequent flyer programme membership numbers, customer service remarks and historical travel information” as well as “ 403 expired credit card numbers and 27 credit card numbers with no CVV”.
Reading between the lines.
There is a lot of interesting content hidden in Cathay Pacific’s statement. Let’s go over the points one by one.
Timing of the announcement
Since the suspicious activity was found in March 2018 and the breach was confirmed in May 2018, almost 6 months lie between the confirmation of a breach and the public disclosure. This is an unusually long period of time in US or EU legislation where customers must be notified of breaches immediately with leeway granted only in cases where notifications may interference with law-enforcement efforts to catch the attackers.
Cathay Pacific however is incorporated in Hong Kong, and subsequently is not subject to such regulations. It is however subject to the so-called “Inside Information Disclosure Regime” of Hong Kong. While the specifics exceed the level of detail we can provide in an information security briefing, the summary is that Hong Kong public companies need to disclose information that may allow for market manipulation (e.g. insider trading). Indeed, Cathay Pacific's statement is labeled as “Inside Information”, indicating that the airline made the breach public in order to comply with just such regulatory requirements.
9.4 million affected users mean that this breach is among the largest in recent history. For comparison, the recent British Airways breach impacted only 380,000 users. However it is difficult to compare the breaches outright. While almost all victims of the British Airways breach had their credit card information compromised, only a handful of credit cards were stolen in the Cathay Pacific breach.
Inversely, 860,000 passport numbers were stolen from Cathay Pacific while no details on stolen passport numbers are available in British Airways’ case.
While the impact of any single breach depends on a myriad of factors, it is not unreasonable to assume that the British Airways breach will lead to more short term attacks such as credit card fraud while the Cathay Pacific breach will lead to more long term attacks such as identity theft.
Cathay Pacific's statement clarifies that the information accessed was largely personally identifying data. What is lacking are passwords and large amounts of credit card numbers. This lets us take an educated guess regarding what kind of system was compromised. Frontend and booking systems would contain more credit card datasets. Flight management systems would be under stricter disclosure requirements. Central databases would likely also contain the passwords used for authentication. The unusual mix of accessed datasets containing a few hundred credit card numbers indicates that we are dealing with either analytical data or support data. In both cases, the credit card numbers were likely attached as additional information to existing datasets. For example, a support database may contain a chat with a customer telling the support representative his/her number in order to make a change to their booking.