First published: 13th November 2018
Hong Kong's Legislative Council (LegCo) has requested Cathay Pacific Airways Limited (Cathay) to attend a joint meeting of the Panel on Constitutional Affairs, Panel on Information Technology and Broadcasting and the Panel on Security on Wednesday, 14 November, 2018 to face questions about the leak of personal data revealed last month.
The written paper submitted in advance of the Panel contains few details of the incident that have not already been revealed in the press and on Cathay's website dedicated to the incident. Unfortunately, the link to the dedicated website provided in the submission is incorrect, having an extra 'www' at the beginning.
The submission does give statistics on the effectiveness of Cathay's efforts to warn their customers:
|Channel||Statistics to midnight 12 November 2018|
|Website||181,700 page views|
|Call centre enquiries||5,031 calls received|
|Enquiry mechanism on the Website||19,005 enquiries received|
|Emails received by firstname.lastname@example.org||5,622 emails received|
|Free ID monitoring service||50,271 passengers enrolled|
Therefore, as of midnight 12 November 2018, over 97% of the 9.4 million people affected by the leak have taken no known action to find out more or protect themselves.
Updated: 23rd November 2018
Legislative Councillor for Information Technology Hon Charles Mok submitted written questions to Cathay Pacific in advance of the LegCo Panel meeting. He has now released his questions and Cathay Pacific's answers.
The answers reveal that Cathay Pacific in March 2018 initially detected brute force attacks on user account and launched an investigation with an outside cybersecurity firm. The attacks continued, being most intense in March, April and May. Early in May, the investigation revealed forensic evidence of unauthorised access and data exfiltration. The second phase of the investigation, which took until August, focussed on identifying which passenger data had been accessed and whether it could be reconstructed in a readable format outside of Cathay's systems. The third phase, which was not completed until 24 October 2018, focussed on identifying the compromised data types for each passenger. Cathay's databases and database servers have logging capabilities enabled at the OS and database level, which allowed the investigation to identify the activities of the attacker.
The investigation revealed that the attacker used previously unknown malware and utilities in the attack, which Cathay's up-to-date anti-virus system did not detect. Cathay has had in place detection and monitoring systems to detect APTs, and in March 2018 they also implemented an advanced endpoint detection and response system.
Cathay took both tactical and strategic remediation steps from the beginning of the investigation, improving their already robust security program.
It is interesting that the incident started with brute force attacks on user accounts, and no other unauthorised access method is mentioned, but there is no mention in the remediation measures of strengthening authentication systems, for example, by moving to 2 factor authentication or public key authentication.