Data Breach of the Month: Cathay Pacific

Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.

In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.

So without further ado, our breach of the month for October, 2018 is… the massive customer data breach at Cathay Pacific.


What Happened?

Cathay Pacific, a major Hong Kong-based airline, recently disclosed that the personal data of 9.4 million customers had been accessed in a breach that was initially discovered in May. The data included names, birthdates, phone numbers, email addresses, physical addresses, passport numbers, frequent flyer program numbers, and a small amount of credit card information. Cathay Pacific says that no passengers’ accounts were accessed in full, and no passwords were compromised in the breach.

The airline is offering free identity theft protection to people who are potentially affected, but have come under criticism for waiting until October to announce the breach—leaving customers exposed for more than five months. There is no mandatory notification for data breaches in Hong Kong, and the breach happened just before GDPR took effect, so there is no immediately apparent compliance violation. However, Hong Kong’s privacy commissioner has said he will look into Cathay Pacific for potential violations of Hong Kong’s Personal Data (Privacy) Ordinance.


How Did it Happen?

Cathay Pacific has been vague about the nature of the breach, but it is speculated to be related to their ongoing shift from legacy systems to cloud solutions. New systems bring with them a new set of risks, making it easy for vulnerabilities to be overlooked. Keeping up with patches for cloud databases and failing to enforce consistent access controls can result in unauthorized access. Adding to Cathay Pacific’s risk in recent years is the fact that they cut many senior IT positions in 2017, reducing cybersecurity manpower and institutional knowledge.


How to Minimize the Risk of this Type of Breach

Although the specifics have not been made public, a data breach at this scale does not happen because of a single security failure; many things must have gone wrong. This is why it is important to conduct a full root cause investigation when a breach or signs of a breach have occurred. With so many security teams facing a constant stream of alerts, it is all too common to simply address the symptoms and remediate the surface-level vulnerability. However, with strong forensic and case management tools, investigators can dig through logs, incident records, and other data to trace the attack back to the original vulnerabilities that were exploited.

Also relevant to this case is the challenge of doing more with less. Unfortunately, many security teams find them in the same position of Cathay Pacific: trying to protect their organization while suffering from a lack of experienced personnel. Security orchestration and automation tools help to save investigators time and improve their efficacy by automatically enriching alerts with contextual data, identifying likely false positives, and integrating with other security systems to act at machine speeds. The result is that even a small team can stop chasing after false positives and take the time to thoroughly investigate real threats.

D3 uniquely complements its award-winning SOAR platform with case management, digital forensics, and root cause analysis capabilities that go far beyond any other security operations platform on the market. Some of the world’s largest companies use D3 to quickly respond to potential data breaches and shut down recurring threats using our D3 SOAR technology.

Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month. 

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.