top of page

Woesnotgone (Woes-not-gone) Meadow

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. The temporary cold snap has gone away...for now. With those cold temperatures they made quite a few people think about flying somewhere warm, just not on Cathay Pacific.

Cathay Pacific is the Hong Kong based airline. Cathay Pacific also operates as their subsidiary Hong Kong Dragon Airlines Ltd.


The airline discovered the unauthorized access to their system. The attackers accessed the data of 9.4M passengers. This included their clients of the Marco Polo Club, Asia Miles, and other registered users. Although this was accessed, there was no evidence, so far, that the data had been misused. This is measured as the largest breach of data in the aviation industry. The was, arising from this issue, from the Hong Kong Privacy Commission, a “serious concern” regarding the data compromise.

Fail, Epic

As noted, there was the unauthorized access to the client’s data. One of the systems accessed may have been the customer resource management (CRM) system. This was suspected in March 2018. Based on this an initial review was completed, and the compromise was confirmed in May 2018. The detection, while pertinent in the scenario, occurred while they were working on “ongoing security processes”. The airline also worked with a cybersecurity firm to further the understanding of the compromise.

With the attack and compromise, there was an issue with the reporting. The reporting to the clients was delayed. During the interim, the clients were at risk for identity theft and a number of other crimes as their data was exposed. To assist with the remediation, the airline is providing identity/credit monitoring services from Experian.

Data Exfiltrated

The compromise appears to have allowed the attackers access to the client’s name, nationality, birth date, phone numbers, address, 860K passport identification numbers, travel data, and other data. There were no CVV numbers involved with the exfiltration. There were no passwords exfiltrated with this successful attack.

Looking Forward

Externally, the Hong Kong office would initiate compliance checks. Also, to assist with the reporting to affected parties, the airline began to contact the parties through various methods, in comparison to depending on just one. The Hong Kong Privacy Commissioner has urged people to change their passwords and enable 2FA.


With such a large compromise, there would be an effect on the airline in some manner. Based on this the airline’s stock did decrease significantly (6.5%) on the Hong Kong Exchange. Fortunately, the flight operations were not affected by the compromise, as this was on a different system.


The attackers should not have access for this period of time. The attackers had full access to the payment system, unfettered, for months. It is estimated the attackers were internally active for at least seven months. This should have been noticed during this extended period. The company’s rationale for not reporting this sooner was they did not want to create an unnecessary fear. The InfoSec team should have been more in-touch with their enterprise activities and checked their logs.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.


ABC News. (2018, October 25). Cathay pacific stocks plunge after airline reveals mass data breach by hacker. Retrieved from

BBC News. (2018, October 25). Cathay pacific data hack hits 9.4 million passengers. Retrieved from

Burton, G. (2018, October 25). Cathay pacific admits to data compromise of 9.4 millions passengers-eight months ago. Retrieved from

Cathay Pacific Airways Limited Board. (2018, October 24). Inside information data breach. Retrieved from

Duckett, C. (2018, October 24). Cathay pacific data breach hits 9.4 million people. Retrieved from

Garcia, M. (2018, October 25). Cathay pacific data breach highlights a need to change airline security focus. Retrieved from

Kunert, P. (2018, October 28). Cathay pacific hack: Personal data of up to 9.4 million airline passengers laid bare. Retrieved from

Locker, M. (2018, October 25). 9.4 million may have been hit in cathay pacific data breach. Retrieved from

McMah, L. (2018, October 25). Cathay pacific says 9.4 million passengers affected by major data leak. Retrieved from

Mullen, J. (2018, October 25). Cathay pacific got hacked, compromising the data of millions of passengers. Retrieved from

Ng, A. (2018, October 24). Cathay pacific breach leaks personal data on 9.4 million people. Retrieved from

Park, K., & Hong, J. (2018, October 24). Millions of passengers hit in worst ever airline data attack. Retrieved from

Quackenbush, C. 92018, October 25). Cathay pacific says data breach exposed personal information of 9.4 million passengers. Retrieved from

Reuters. (2018, October 24). Cathay pacific flags data breach affecting 9.4 million passengers. Retrieved from

Thomas Reuters. (2018, October 25). Cathay pacific says 9.4 million passengers affected by data breach. Retrieved from

Zhong, R. 92018, October 25). Cathay pacific data breach exposes 9.4 million passengers. Retrieved from

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Featured Posts
Check back soon
Once posts are published, you’ll see them here.
Recent Posts
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page