Information consists of passengers’ names, nationalities, dates of birth, identity card numbers and historical travel details
Suspicious activity detected in March, prompting a cybersecurity investigation – but IT lawmaker questions why carrier waited till now to disclose breach
Cathay Pacific Airways looks set to escape heavy penalties under Hong Kong, United States and European Union privacy laws, even as it faces universal condemnation for keeping a massive data breach secret for seven months.
The city’s flagship carrier revealed late on Wednesday night that personal details of 9.4 million passengers had been illegally accessed by hackers in March, earning a strong rebuke from the privacy commissioner on Thursday while angry passengers complained about being deliberately kept in the dark.
While the European Union’s new General Data Protection Regulation requires such breaches to be reported within 72 hours, corporate lawyers said Cathay may have narrowly escaped punishment, as the breach was discovered about three months before a rule change on May 25.
Under EU law, companies that fail to report such breaches in a timely manner can now be fined 4 per cent of their annual revenue. Laws in certain European nations, including Germany, France and the Netherlands, stipulate penalties for failure or delay in notifying regulators or affected persons.
PUBLISHED : Thursday, 25 October, 2018, 10:55am
UPDATED : Friday, 26 October, 2018, 10:05am