The Abysmal State of Personal Data Protection

First published: 30^th October 2018

What do Cathay Pacific, Experian and LinkedIn have in common? All three companies have suffered a data breach that exposed their users' personal data. The data breach at Cathay Pacific is the most recent, and, ironically, Cathay Pacific chose to help their affected passengers by offering ID monitoring services provided by Experian.

Experian is a consumer credit reporting agency. Experian collects and aggregates information on over one billion people and businesses and also sells decision analytic and marketing assistance to businesses. Its consumer services include online access to credit history and products meant to protect from fraud and identity theft. Their data breach occurred between 2013 and 2015, affecting up to 15 million people who used the company’s services. However, the they are still trusted used by the UK government, for the Verify ID system, and USPS for their Address Validation. Presumably their security has improved since 2015.

I found out that my data had been compromised when I received an email from infosecurity@cathaypacific.com which specified which items of my personal data had been compromised, and invited be to use the Experian ID monitoring service by visiting a website: http://www.globalidworks.com/identity1 and entering a personalized activation code. I was immediately suspicious of the message: it was an unexpected message that invited me to visit an unrecognised website. The message also gave the address of their dedicated website, infosecurity.cathaypacific.com, which is in the well-known Cathay Pacific domain.

Fortunately, only my Name and Address had been compromised. Many people were not so lucky, other data accessed included passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks and historical travel information; and a small quantity of credit card numbers, without the CVV code.

One other item of information was compromised: the implied information that I'm a Cathay customer, which could be used to send a phishing email telling me about the data breach and inviting me to give personal data to an "ID monitoring service". It would be a good idea to check the correct link for the Experian service from multiple sources, and not just rely on an unverified email.

I decided to try the Experian service with limited information. To use the service, it is necessary to agree to Experian's privacy policy, which includes the clause:

This contradicts the statement that information provided would be used solely for identity monitoring and not be shared with any other entity, made by Experian chief marketing officer Sisca Margaretta and reported by the South China Morning Post.

After agreeing to the privacy policy, the user can create an account with a user id and password. The password must be 8 to 15 characters, including at least one upper case, one lower case, one digit and one other character. However, the user is not warned of these restrictions in advance.

It is then necessary to select a "Security Question" and enter an answer. I have discussed previously the problems of security questions.

After complting the account registration, I provided two email addresses: the one dedicated to my Cathay Pacific account, and my general-purpose address.

I got an immediate report that my general purpose address had been found in July 2016, "Potential Site: LINKEDIN.COM". This was confusing, that email address is linked to my LinkedIn account, so were Experian simply telling me about that account? If that was the case, then why advise me to change the password immediately? Then I made a connection that brings us back to the commonality between Cathay Pacific, Experian and LinkedIn: there was a data breach at LinkedIn in 2012, and data from that breach became available online in May 2016, maybe Experian collected that information two months later? The information included email addresses and encrypted passwords for 117 million LinkedIn accounts, so that would be a very good reason to change my LinkedIn password. Fortunately, I had already changed that password in 2012, in response to the original breach announcement. I had also not used the password on any other site.

Suggestions

• Instead of using a link to an unknown site in the notification email, Cathay Pacific could have directed their passengers to a site they would already know, https://www.cathaypacific.com/, and use a prominent notice there to link to the Experian site. At the time of writing, Cathay Pacific do not have a prominent warning about the data breach on their main site, their Notification centre even says, "There are currently no important alerts."
• Experian should permit long passwords.
• Experian could improve their report wording:
  • Make it clear whether the email address and encrypted password were found online. An email address alone is not a significant threat, but an encrypted password can be cracked.
  • The advice is unclear about whether it is discussing the password used to access the email account, or one or more passwords for online accounts where the email address is used as a unique identifier. It makes a difference to which passwords need changing.
• Users should follow good security practice:
  • Minimise the personal data at risk: Only provide the minimum personal information that is required for providing the service.
  • Never re-use passwords.
  • Use strong passwords.

Protecting personal data after a breach is like a tar-pit. In order to sign up for an ID monitoring service, it is necessary to submit to more flawed security and distribute your personal data to more entities to enable the monitoring. Each effort to escape the tar enlarges its grip and drags you down.

Allan Dyer