Woesnotgone (Woes-not-gone) Meadow
All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. The temporary cold snap has gone away...for now. With those cold temperatures they made quite a few people think about flying somewhere warm, just not on Cathay Pacific.
Cathay Pacific is the Hong Kong based airline. Cathay Pacific also operates as their subsidiary Hong Kong Dragon Airlines Ltd.
Announcement
The airline discovered the unauthorized access to their system. The attackers accessed the data of 9.4M passengers. This included their clients of the Marco Polo Club, Asia Miles, and other registered users. Although this was accessed, there was no evidence, so far, that the data had been misused. This is measured as the largest breach of data in the aviation industry. The was, arising from this issue, from the Hong Kong Privacy Commission, a “serious concern” regarding the data compromise.
Fail, Epic
As noted, there was the unauthorized access to the client’s data. One of the systems accessed may have been the customer resource management (CRM) system. This was suspected in March 2018. Based on this an initial review was completed, and the compromise was confirmed in May 2018. The detection, while pertinent in the scenario, occurred while they were working on “ongoing security processes”. The airline also worked with a cybersecurity firm to further the understanding of the compromise.
With the attack and compromise, there was an issue with the reporting. The reporting to the clients was delayed. During the interim, the clients were at risk for identity theft and a number of other crimes as their data was exposed. To assist with the remediation, the airline is providing identity/credit monitoring services from Experian.
Data Exfiltrated
The compromise appears to have allowed the attackers access to the client’s name, nationality, birth date, phone numbers, address, 860K passport identification numbers, travel data, and other data. There were no CVV numbers involved with the exfiltration. There were no passwords exfiltrated with this successful attack.
Looking Forward
Externally, the Hong Kong office would initiate compliance checks. Also, to assist with the reporting to affected parties, the airline began to contact the parties through various methods, in comparison to depending on just one. The Hong Kong Privacy Commissioner has urged people to change their passwords and enable 2FA.
Effects
With such a large compromise, there would be an effect on the airline in some manner. Based on this the airline’s stock did decrease significantly (6.5%) on the Hong Kong Exchange. Fortunately, the flight operations were not affected by the compromise, as this was on a different system.
Analysis
The attackers should not have access for this period of time. The attackers had full access to the payment system, unfettered, for months. It is estimated the attackers were internally active for at least seven months. This should have been noticed during this extended period. The company’s rationale for not reporting this sooner was they did not want to create an unnecessary fear. The InfoSec team should have been more in-touch with their enterprise activities and checked their logs.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Resources
ABC News. (2018, October 25). Cathay pacific stocks plunge after airline reveals mass data breach by hacker. Retrieved from https://www.abc.net.au/news/2018-10-25/cathay-pacific-data-breach-affects-9.4-million-customers/10429878
BBC News. (2018, October 25). Cathay pacific data hack hits 9.4 million passengers. Retrieved from https://www.bbc.com/news/business-45974020
Burton, G. (2018, October 25). Cathay pacific admits to data compromise of 9.4 millions passengers-eight months ago. Retrieved from https://www.computing.co.uk/ctg/news/3065106/cathay-pacific-admits-to-data-compromise-of-94-million-passengers-eight-months-ago
Cathay Pacific Airways Limited Board. (2018, October 24). Inside information data breach. Retrieved from http://www.hkexnews.com/hk/listedco/listconews/SEHK/2018/1024/LTN20181024757.pdf
Duckett, C. (2018, October 24). Cathay pacific data breach hits 9.4 million people. Retrieved from https://www.zdnet.com/article/cathay-pacific-data-breach-hits-9-4-million-people/
Garcia, M. (2018, October 25). Cathay pacific data breach highlights a need to change airline security focus. Retrieved from https://www.forbes.com/sites/marisagarcia/2018/10/25/cathay-pacific-data-breach-highlights-a-need-to-change-airline-security-focus/
Kunert, P. (2018, October 28). Cathay pacific hack: Personal data of up to 9.4 million airline passengers laid bare. Retrieved from https://www.theregister.co.uk/2018/10/25/cathay_pacific_hacked_up_to_94_million_passengers_deets_exposed/
Locker, M. (2018, October 25). 9.4 million may have been hit in cathay pacific data breach. Retrieved from https://www.fastcompany.com/90256859/9-4-million-may-have-been-hit-in-cathay-pacific-data-breach
McMah, L. (2018, October 25). Cathay pacific says 9.4 million passengers affected by major data leak. Retrieved from https://www.news.com.au/travel/travel-advice/flishts/catha-pacific-says-94-million-passengers-affected-by-major-data-leak/news-story/
Mullen, J. (2018, October 25). Cathay pacific got hacked, compromising the data of millions of passengers. Retrieved from https://www.cnn.com/2018/10/24/business/cathay-pacific-data-breach/index.html
Ng, A. (2018, October 24). Cathay pacific breach leaks personal data on 9.4 million people. Retrieved from https://www.cnet.com/news/cathay-pacific-breach-leaks-personal-data-on-9-4-million-people/
Park, K., & Hong, J. (2018, October 24). Millions of passengers hit in worst ever airline data attack. Retrieved from https://www.bloomberg.com/news/articles/2018-10-25/cathay-pacific-reports-data-breach-affecting-9-4-million-fliers
Quackenbush, C. 92018, October 25). Cathay pacific says data breach exposed personal information of 9.4 million passengers. Retrieved from http://time.com/543171/cathay-pacific-data-breach/
Reuters. (2018, October 24). Cathay pacific flags data breach affecting 9.4 million passengers. Retrieved from https://www.reuters.com/articles/us-cathay-pacific-cyber/cathay-pacifc-flags-data-breach-affecting-94-million-passengers-idUSKCN1my26L
Thomas Reuters. (2018, October 25). Cathay pacific says 9.4 million passengers affected by data breach. Retrieved from https://www.cbc.ca/news/business/cathay-pacific-data-breach-1.4877520
Zhong, R. 92018, October 25). Cathay pacific data breach exposes 9.4 million passengers. Retrieved from https://www.nytimes.com/2018/10/25/business/cathay-pacific-hack.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.