back to article Cathay Pacific hack: Airline admits techies fought off cyber-siege for months

Fresh from belatedly admitting that 9.4 million passengers’ personal data was stolen by hackers, Hong Kong airline Cathay Pacific has now admitted that it was under attack for three solid months before it took half a year to tell anyone. Cathay Pacific jet airplane at Hong Kong International airport Cathay Pacific hack: …

  1. Semtex451
    Windows

    Flight Pattern

    Given that there would appear to be a pattern emerging, with recent Airline hacks, I'd be more worried about all the airlines that never realise, or never reveal the fact.

    1. Khaptain Silver badge

      Re: Flight Pattern

      I would hazard a guess that most of the world major companies which hold large quantities of user information are in approxiamtely the same position.. Insurance, Banking, Travel, Governments etc :

      The lucky ones have excellent IT teams and hardware and appropriate budgets and can defend themselves to a certain point.. The unlucky ones suffer a lot and then suffer even more when the media/users learn about the facts..

      What we never know is who the hackers are or who is behind them .. At this scale it's probably not really script kiddy stuff, serious budgets are being spent by some nasty people in order to create disruption or worse...

      1. Crypto Monad Silver badge

        Re: Flight Pattern

        > The lucky ones have excellent IT teams and hardware and appropriate budgets and can defend themselves to a certain point.

        Or at least they have logs and/or other ways of detecting attacks.

        The others have probably been attacked but just don't know it.

      2. c1ue

        Re: Flight Pattern

        I would be less surprised that attackers are not tip tier. The airlines, just like the banks, insurance companies, utilities and what not all are running 40+ year old hardware underneath the tangle of glittery modern add-ons.

        The likelihood that these rats nests of 4 decades' of IT upgrades is secure is zero.

        1. yoganmahew

          Re: Flight Pattern

          @c1ue

          Nope, the hardware is new.

          The software, that's different, it's old in some cases. Very old.

          Perhaps that you can't use the correct term identifies your experience and capabilities in this matter.

          But, the old software is also not designed to be accessed in bulk, so the changes of old software being used to access is close to zero. The newer software? That stores bulk copies of DBs in SQL-readable format? So once you're in, you have access to everything?

          Yeah, keep kidding yourself it's legacy software that's the issue and nothing to do with modern systems, modern architectures, open system, open protocol, open access.

        2. Drs. Andor Demarteau (ShamrockInfoSec)

          Re: Flight Pattern

          Not entirely true for airlines.

          Whilst all older companies have legacy stuff, the airlines sector have invested heavily to create a common community cloud platform where a lot is being handled these days.

          This platform is called Amadeus and is Spanish based.

          I know this holds true for CX as well.

      3. Drs. Andor Demarteau (ShamrockInfoSec)

        Re: Flight Pattern

        I agree, this isn't specifically an airlines issue as such.

        Although there is one contributing factor that does hit the airlines sector more than other sectors named:

        with the ever dropping prices of tickets, due to LCC's (low cost carriers), the overhead and therefore the budget available to do proper IT, information security and privacy protection goes down with that as well.

        This is seen worldwide and not only in the EU and US markets.

        Budget as such isn't the only issue, management buy-in as well as a proper security culture are even more important.

  2. Pascal Monett Silver badge

    Looks like things are getting worse

    Credit card details seem to not actually be the end game for criminals any more - they're after user data. IDs, identifiers, passwords & other details.

    We have spent the last three decades handing out this information willy-nilly to anyone who asked, and now we are reaping the results of personal information databases created without preparation or a thought for security. Oh sure, they were carefully thought through for business purposes, but not from a security standpoint.

    It is obvious that companies are now going to have to implement the needed security as a bolt-on, after-the-fact measure and I doubt that we'll stop hearing of these hacks any time soon - unless the required budget grows a certain factor of times bigger.

    Even then, doing it fast doesn't mean doing it right.

    1. jake Silver badge

      Re: Looks like things are getting worse

      "We have spent the last three decades handing out this information willy-nilly to anyone who asked, and now we are reaping the results"

      Who is "we", Kemosabe?

      1. Khaptain Silver badge

        Re: Looks like things are getting worse

        Unfortunately, the "We" represents the majority of the unwashed masses that use the Internet.

        Its a sad state of affairs but due to the power of Google, FB et al, that mess is not going away anytime soon unless governments start to completely shut down companies that don't comply with privacy rules (that don't actually exist).....

    2. Drs. Andor Demarteau (ShamrockInfoSec)

      Re: Looks like things are getting worse

      Security is not a bolt-on feature period.

  3. Version 1.0 Silver badge
    Meh

    There are two types of system out there.

    Those systems that are being attacked ... and those whose sysadmins haven't noticed yet.

    1. Bob Dole (tm)

      Re: There are two types of system out there.

      >Those systems that are being attacked ... and those whose sysadmins haven't noticed yet.

      Absolutely this. We added intrusion detection to our systems around 20 years ago. During the first month of operation we identified an average of 3 new attacks starting every single minute. It's only gotten worse. Fortunately we've been on top of everything during all this time so we haven't ( knock on wood ) lost any customer data. However it was a real wake up call.

      If you don't think you are under attack then you aren't paying attention.

      1. Anonymous Coward
        Anonymous Coward

        Re: There are two types of system out there.

        Yep, completely in agreement with that.

        One might consider the Internet's inability to reliably identify the origin of traffic as being a big problem. There is literally nothing to stop someone getting plugged in a pinging away with nastygrams with no ability for anyone else to find out who they really are (saving long, complex and often ultimately fruitless legal investigations forcing ISPs to open up who was paying for the connection at the source end, and then finding that the machine is a botnet victim anyway). There are literally zero consequences for sending a nastyogram, except in the most exceptional circumstances.

        I don't see a real solution either. Perhaps one might engineer up some kind of secure network where all traffic is traceable back to someone's personal certificate, and it won't let you connect without that being input somehow in a reliably secure un-copyable way, and there's a global registry of certificates so that nastyograms can be attributed to a specific person. I don't know what that network is, (it's certainly not the Internet s we know it), and nor can I imagine anyone anywhere being content with the idea of a single CA for all people on the planet.

        Nations owning their own Internet is probably the only way to suppress problem. That's effectively what China is doing, presumably controlling and witnessing every single network connection within their country. Ok, they're doing it primarily for bad reasons, but one has to admit that if anyone can track, block and prosecute originators of nastyograms within their border, they probably can. China also happens to be big enough to build all the services and IT it wants entirely within its own border, not needing anyone else to provide anything, which helps a lot. They just take the Android open source code, imbue it with a suitable Chinese services layer, stand up their service providers, job done. Barely a need for a foreign network connection at all.

        The question really is will every other country on earth be driven into taking similar measures at a national, or trading block, level? Maybe. And selling the idea to populations used to voting for their governments is going to be quite hard work... I don't like the idea either, but all the rubbish on the Internet is driving us towards needing that, not away.

        The alternative, that all software everywhere becomes free of flaws and is perfectly configured, and all phishing attacks get rejected by miraculously sceptical users, and that all USB ports get blocked up, seems less likely.

        1. Allan George Dyer

          Re: There are two types of system out there.

          @AC- "but one has to admit that if anyone can track, block and prosecute originators of nastyograms within their border, they probably can"

          They aren't suceeding in eliminating 'nastyograms', so either they aren't trying, or complete traceabilty is not the solution.

          I doubt whether complete traceability is a solution... as you said, you just find a botnet victim. Tracing the next layer requires exponential resources, against an attacker who will always be erasing the evidence. You spend ever more resources chasing an elusive goal. Time to look for a different approach.

  4. Pascal

    "The airline has set up a dedicated website"...

    ... That asks you to provide them location data!

    Because why let the fact the site is about a data breach, get in the way of collecting more data?

  5. I3N
    Big Brother

    Exactly in what way?

    " ... Chinese territory’s equivalent of Parliament"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon