back to article Cathay Pacific hack: Personal data of up to 9.4 million airline passengers laid bare

Cathay Pacific has admitted that personal data on up to 9.4 million passengers, including their passport numbers, has been accessed by unauthorised personnel in the latest security screw-up to hit the airline industry. British Airways website British Airways hack: Infosec experts finger third-party scripts on payment pages …

  1. Doctor Syntax Silver badge

    I wonder what the GDPR situation with a breach before the go-live date but disclosure wwwellllll delayed until after. It's delayed disclosure that brings the biggest fines.

    "We want to reassure our passengers that we took and continue to take measures to enhance our IT security,"

    And why did el Reg publish this without challenging it.

  2. FuzzyWuzzys
    Facepalm

    Hmmm, was it...

    ...another S3 bucket with "test data" accidentally left wide open?

  3. smudge
    Holmes

    "... no evidence that any personal data has been misused"

    "We have no evidence that any personal data has been misused. No one's travel to loyalty profile was accessed in full, and no passwords were compromised."

    And no one has connected the junk mail, cold-call selling, burglaries and identity theft with us. Yet.

  4. Marcus000

    Is there a list somewhere of companies that haven't been hacked yet?

    1. Valerion

      Is there a list somewhere of companies that haven't been hacked yet?

      Yes - I have pasted a comprehensive list below:

      1. Marcus000

        Excellent!

      2. el_oscuro

        Exception in thread "main" java.lang.NullPointerException

    2. FrogsAndChips Silver badge

      There are 2 types of companies:

      - those that have already been hacked

      - those that have already been hacked but don't know it yet

      1. Radio Wales
        Black Helicopters

        Very droll.

        This somewhat realistic comment is yet another wake-up reminder to NEVER EVER entrust any of my biometric data to ANYBODY.

        If refusal ends up being threatened with legal action or imprisonment (Like last time) from HM Gov.uk then I shall regard that as a hint to emigrate to some backward country that still machine swipes credit cards and accepts ID confirmation from an expired licence stuffed with a €10 note.

        Either that or join the 'Gentlemen of the Road Brigade' who are sworn off taxes and other unpleasantries arising from normal life in good ole Blighty.

  5. spold Silver badge

    It's OK....

    In future the data will now be transferred across the Pearl River delta (possibly using the new bridge) and held in a highly secure Chinese mainland database.

  6. Anonymous Coward
    Anonymous Coward

    Credit card data

    It's always, don't worry there was little to no credit card data stolen.

    Guess what? I don't care if you steal the BANKS credit card data, that's (mostly) their problem. My personal details? Yeah I can't change my DOB...I kind of care now.

    1. tiggity Silver badge

      Re: Credit card data

      Indeed and flights are one of the things you cannot use a fake DOB (unlike social media & other web sites where you just put any old DOB), so its far worse as data theft as hackers actually have your real DOB from this sort of breach.

  7. gr00001000
    Trollface

    which nation state would seek such data?

    Let me think

  8. Allonymous Coward
    Facepalm

    Missed image opportunity

    The El Reg snark is slipping. You really should have illustrated a Cathay Pacific story with a picture from the time they spelled their name wrong on the side of a plane.

  9. anatak
    Unhappy

    Doesn’t inspire confidence

    I flew recently with cathay so wanted to check.

    Except they mangled the webform so I can’t enter my name.

    Now i feel oh so safe.

    https://infosecurity.cathaypacific.com/web/#/en_HK/register

  10. GnuTzu
    Megaphone

    Another Company That I've Never Heard Of

    It's the opposite of all your eggs in one basket. Instead, we've shared our secrets with so many organizations that eventually your data will be stolen. Now, I'm am definitely anti-monopoly, so I would fear that those greedy for market control would seek a monopoly solution to this problem. So, I think we'd better hurry up and find something that's a reasonably free-market solution. Anybody got any good ideas out there? And, don't say "block chain", well, unless it actually applies.

    1. Anonymous Coward
      Anonymous Coward

      Re: Another Company That I've Never Heard Of

      > It's the opposite of all your eggs in one basket. Instead, we've shared our secrets with so many organizations that eventually your data will be stolen.

      Yep. I'm surprised they didn't just say: "It's okay, all those affected had their personal data exposed in the Experian leak at the end of last year so nothing more to worry about - their data was out there anyway. Please fly with us again. Please."

      1. daflibble

        Re: Another Company That I've Never Heard Of

        >Yep. I'm surprised they didn't just say: "It's okay, all those affected had their personal data exposed in the Experian leak

        Excellent we could have a new amendment to GDPR which could require organisations when reporting leaks to correlate the information with other known leaks for discounts on fines ; )

    2. Dabooka

      Re: Another Company That I've Never Heard Of

      You lost me there old chap, you'll need to try again.

      RE: Company you've never heard of, are you joking? You've really never heard of Cathay Pacific?

      1. GnuTzu

        Re: Another Company That I've Never Heard Of

        @Dabooka, "You've really never heard of Cathay Pacific?"

        I'm afraid so. But, then I avoid flying like the plague and will make every effort to take the train in business class instead. Yes, cramped seating is harder to take for some, and I'm one of them (hsperson.com).

  11. Pascal Monett Silver badge

    "No one's travel to loyalty profile was accessed in full"

    Travel to loyalty profile ?

    Why am I surprised that airlines are profiling us as well ? I'm sure there are plenty of people who, having traveled for business from Sydney to Dhaka to Frankfurt to Vancouver during the week, would be absolutely overjoyed in taking a short hop to Osaka to unwind during the week-end.

    Right ?

  12. Anonymous South African Coward Bronze badge

    Wonder who'll be next.

    Most probably SAA (South African Airways)...

  13. heyrick Silver badge

    Why is all this data being retained?

    Once the flight has landed, they need only remember your name, nationality, and year of birth in case some agency or other wants to know if "person" was on the flight. Everything else should be discarded - particularly if it is sensitive information such as government issued identity numbers and other unchangeable metrics like date of birth...

    1. Alister

      Re: Why is all this data being retained?

      Because it takes work, and money, to delete data.

      Leaving stale data is the cheap preferred option.

    2. Nick Stallman

      Re: Why is all this data being retained?

      Because terrorists!

  14. EnviableOne

    Arline Safty not Privacy

    the whole industry is rife with bad security

    just look at the SABRE and Amadeus

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like