First published: 30th October 2018
What do Cathay Pacific, Experian and LinkedIn have in common? All three companies have suffered a data breach that exposed their users' personal data. The data breach at Cathay Pacific is the most recent, and, ironically, Cathay Pacific chose to help their affected passengers by offering ID monitoring services provided by Experian.
Experian is a consumer credit reporting agency. Experian collects and aggregates information on over one billion people and businesses and also sells decision analytic and marketing assistance to businesses. Its consumer services include online access to credit history and products meant to protect from fraud and identity theft. Their data breach occurred between 2013 and 2015, affecting up to 15 million people who used the company’s services. However, the they are still trusted used by the UK government, for the Verify ID system, and USPS for their Address Validation. Presumably their security has improved since 2015.
I found out that my data had been compromised when I received an email from firstname.lastname@example.org which specified which items of my personal data had been compromised, and invited be to use the Experian ID monitoring service by visiting a website: http://www.globalidworks.com/identity1 and entering a personalized activation code. I was immediately suspicious of the message: it was an unexpected message that invited me to visit an unrecognised website. The message also gave the address of their dedicated website, infosecurity.cathaypacific.com, which is in the well-known Cathay Pacific domain.
Fortunately, only my Name and Address had been compromised. Many people were not so lucky, other data accessed included passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks and historical travel information; and a small quantity of credit card numbers, without the CVV code.
One other item of information was compromised: the implied information that I'm a Cathay customer, which could be used to send a phishing email telling me about the data breach and inviting me to give personal data to an "ID monitoring service". It would be a good idea to check the correct link for the Experian service from multiple sources, and not just rely on an unverified email.
5.2 In order for us to provide you with our Services and for the prevention and detection of fraud, we will share your personal information with third parties who perform services on our behalf, including IT companies who perform services on our behalf. This includes the provision of IT services such as data storage and the provision of emails alerts sent to you to provide notification any of your suspected compromised information once you have enrolled to access our Services. These companies are required only to use your personal information as necessary to provide their services to us and only on our instructions. They are not permitted to process your personal information for their own purposes.
This contradicts the statement that information provided would be used solely for identity monitoring and not be shared with any other entity, made by Experian chief marketing officer Sisca Margaretta and reported by the South China Morning Post.
It is then necessary to select a "Security Question" and enter an answer. I have discussed previously the problems of security questions.
After complting the account registration, I provided two email addresses: the one dedicated to my Cathay Pacific account, and my general-purpose address.
I got an immediate report that my general purpose address had been found in July 2016, "Potential Site: LINKEDIN.COM". This was confusing, that email address is linked to my LinkedIn account, so were Experian simply telling me about that account? If that was the case, then why advise me to change the password immediately? Then I made a connection that brings us back to the commonality between Cathay Pacific, Experian and LinkedIn: there was a data breach at LinkedIn in 2012, and data from that breach became available online in May 2016, maybe Experian collected that information two months later? The information included email addresses and encrypted passwords for 117 million LinkedIn accounts, so that would be a very good reason to change my LinkedIn password. Fortunately, I had already changed that password in 2012, in response to the original breach announcement. I had also not used the password on any other site.
- Instead of using a link to an unknown site in the notification email, Cathay Pacific could have directed their passengers to a site they would already know, https://www.cathaypacific.com/, and use a prominent notice there to link to the Experian site. At the time of writing, Cathay Pacific do not have a prominent warning about the data breach on their main site, their Notification centre even says, "There are currently no important alerts."
- Experian should permit long passwords.
- Experian could improve their report wording:
- Make it clear whether the email address and encrypted password were found online. An email address alone is not a significant threat, but an encrypted password can be cracked.
- The advice is unclear about whether it is discussing the password used to access the email account, or one or more passwords for online accounts where the email address is used as a unique identifier. It makes a difference to which passwords need changing.
- Users should follow good security practice:
- Minimise the personal data at risk: Only provide the minimum personal information that is required for providing the service.
- Never re-use passwords.
- Use strong passwords.
Protecting personal data after a breach is like a tar-pit. In order to sign up for an ID monitoring service, it is necessary to submit to more flawed security and distribute your personal data to more entities to enable the monitoring. Each effort to escape the tar enlarges its grip and drags you down.