Your Peace of Mind is our Commitment

Contact Us English Recent Articles

The Abysmal State of Personal Data Protection

First published: 30th October 2018

What do Cathay Pacific, Experian and LinkedIn have in common? All three companies have suffered a data breach that exposed their users' personal data. The data breach at Cathay Pacific is the most recent, and, ironically, Cathay Pacific chose to help their affected passengers by offering ID monitoring services provided by Experian.

Experian is a consumer credit reporting agency. Experian collects and aggregates information on over one billion people and businesses and also sells decision analytic and marketing assistance to businesses. Its consumer services include online access to credit history and products meant to protect from fraud and identity theft. Their data breach occurred between 2013 and 2015, affecting up to 15 million people who used the company’s services. However, the they are still trusted used by the UK government, for the Verify ID system, and USPS for their Address Validation. Presumably their security has improved since 2015.

I found out that my data had been compromised when I received an email from infosecurity@cathaypacific.com which specified which items of my personal data had been compromised, and invited be to use the Experian ID monitoring service by visiting a website: http://www.globalidworks.com/identity1 and entering a personalized activation code. I was immediately suspicious of the message: it was an unexpected message that invited me to visit an unrecognised website. The message also gave the address of their dedicated website, infosecurity.cathaypacific.com, which is in the well-known Cathay Pacific domain.

Fortunately, only my Name and Address had been compromised. Many people were not so lucky, other data accessed included passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks and historical travel information; and a small quantity of credit card numbers, without the CVV code.

One other item of information was compromised: the implied information that I'm a Cathay customer, which could be used to send a phishing email telling me about the data breach and inviting me to give personal data to an "ID monitoring service". It would be a good idea to check the correct link for the Experian service from multiple sources, and not just rely on an unverified email.

I decided to try the Experian service with limited information. To use the service, it is necessary to agree to Experian's privacy policy, which includes the clause:

5.2 In order for us to provide you with our Services and for the prevention and detection of fraud, we will share your personal information with third parties who perform services on our behalf, including IT companies who perform services on our behalf. This includes the provision of IT services such as data storage and the provision of emails alerts sent to you to provide notification any of your suspected compromised information once you have enrolled to access our Services. These companies are required only to use your personal information as necessary to provide their services to us and only on our instructions. They are not permitted to process your personal information for their own purposes.

This contradicts the statement that information provided would be used solely for identity monitoring and not be shared with any other entity, made by Experian chief marketing officer Sisca Margaretta and reported by the South China Morning Post.

After agreeing to the privacy policy, the user can create an account with a user id and password. The password must be 8 to 15 characters, including at least one upper case, one lower case, one digit and one other character. However, the user is not warned of these restrictions in advance.

It is then necessary to select a "Security Question" and enter an answer. I have discussed previously the problems of security questions.

After complting the account registration, I provided two email addresses: the one dedicated to my Cathay Pacific account, and my general-purpose address.

I got an immediate report that my general purpose address had been found in July 2016, "Potential Site: LINKEDIN.COM". This was confusing, that email address is linked to my LinkedIn account, so were Experian simply telling me about that account? If that was the case, then why advise me to change the password immediately? Then I made a connection that brings us back to the commonality between Cathay Pacific, Experian and LinkedIn: there was a data breach at LinkedIn in 2012, and data from that breach became available online in May 2016, maybe Experian collected that information two months later? The information included email addresses and encrypted passwords for 117 million LinkedIn accounts, so that would be a very good reason to change my LinkedIn password. Fortunately, I had already changed that password in 2012, in response to the original breach announcement. I had also not used the password on any other site.

Suggestions

Protecting personal data after a breach is like a tar-pit. In order to sign up for an ID monitoring service, it is necessary to submit to more flawed security and distribute your personal data to more entities to enable the monitoring. Each effort to escape the tar enlarges its grip and drags you down.

Allan Dyer


Gallery

Cathay Pacific website Notification centre on 2018-10-30Cathay Pacific website Notification centre on 2018-10-30 hi-res
Experian report showing potential LinkedIn connectionExperian report showing potential LinkedIn connection hi-res

More Information

Related Articles