Posted on Leave a comment

Privacy – the handling of the breach by CX

Privacy is a big topic all in itself, and I shall provide some more related information in separate posts.

The recent incident, however, has caught my attention and also the urge to comment.
Cathay Pacific (CX), Hong Kong’s flagship airline, finally came forward on 25th October 2018 with information that their servers were accessed without authorization and data of 9.4 million of the airlines customers had been compromised.
This incident already happened in March 2018, so “only” 7 months before Cathay Pacific chose to inform their customers.

Shortly after the story made headlines in the news, I also received an email informing me that my data at the carrier had been accessed without authorization.

Data privacy is an important topic to me and I shall use the excellent example from Cathay Pacific to explain some details, what to watch out for and also what an impacted company should or should not do.

1. Informing the impacted customers after 7 months.

This feels just like a slap in the face.
It shows very clearly how little the carrier cares for their customers – and yes, I’m well aware on the prayer like repetitions of phrases from Cathay Pacific claiming their customers are important to them.
But that’s just that, empty phrases, a waste of digits, paper or air, depending on the medium used for the attempts to convey their marketing message.

Trust is an fragile thing, easy to break and hard to mend.

In our fast paced and increasingly digital life, time is of the essence.
Knowing that your data has been compromised or lost allows you to be aware and vigilant.
It allows you to watch out for anything fishy happening and you may think twice and with a different perspective about that unsolicited email in your inbox informing you that you have just signed up for whatever-it-is new membership or shop or .. .
Of course, you’d never click on such potential phishing or virus carrying thread anyway and likely you’d just delete such email.
However, if you are aware that your email address and other personal information had been stolen, you may look at this more sincerely also from the perspective that someone may try to setup a faked digital identity of you somewhere in the web.
And that should certainly catch your attention as it may have some long spanning implications for you, the real you, I mean.

Thus, knowing of a breach and actively not informing the very people that are impacted immediately is just wrong.

But then again, looking at this little breach – after all “only” 9.4 million customers were impacted – from Cathay Pacific perspective, it is not their data that is at risk, it is the data of their customers! So, why bother to rush and risk looking bad? Maybe they thought that later-on an opportunity to cover it up or hide this little incident would arises? Well, I don’t know about that, but I do know that coming out so late does not play in their favour and will customers will likely not take it kindly.

Of course, chances are that there was also some of Cathay Pacific own data compromised during that incident, but that’s their very own internal pleasure to handle and may only be of interest for their curious share holders.
Add 2018-11-12: my assumption has just been confirmed (see SCMP report)

2. We have no evidence that any personal data has been misused.

This statement is taken from the email, I received from Cathay Pacific.
Now, that feels reassuring, doesn’t it? (Please see the sarcasm in the sentence.)

How would Cathay Pacific even know if the thief of the data has setup a false identity of me somewhere in the web? Did they expect a confirmation email?

“Dear Cathay,
I have used the personal data of your customer Mr. T that you so generously provided
to implement a fake digital identity
and I’m now happily shopping at Amazon
under Mr. T’s name, all billed to his credit card.
Yours faithfully,
a grateful hacker.”

Cathay Pacific is an airline – to the best of my knowledge – and I think, they yet have to fathom what can be done with stolen personal data in the bad world out there.
To lull the unaware and inexperienced customer into a false sense of security is, in my eyes, a dangerously wrong approach.

3. The free monitoring service

Generously, Cathay Pacific is offering to utilise an “ID monitoring service”, provided by Experian. (Note, this is not the link to the free service offered by Cathay Pacific, but the link to the main webpage of the mentioned service provider.)
This confirms point 2. above, i.e. they just can’t know what the intruder is possibly doing with the data.

Now to the tricky part.
To enable this monitoring of your data that was accessed without authorization (aka stolen) you have to provide your data to this third party company.
It’s a little like in the old Grimm Brothers fairy tale “Frederick and Catherine (aka Freddy and Katy Lizzy)“, rolling the cheese down the hill to go tell the first cheese to come back.
Certainly, there’s a necessity to let this monitoring service provider know what to monitor, i.e. your personal data, but at the same time you’re putting your data at risk again and at an additional company.
A difficult decision to find a good balance. I’d recommend to only provide the service company with one of your email addresses (if that is among the data that was illegally accessed) and not the whole set of data.

4. What next?

Various suggestions are already circulating the media and web, from class legal action to lobbying with the Hong Kong Watchdog for Privacy (PCPD).
Feel free to check what you’d consider worth of your time – I shall not recommend anything specific in this regards here.
The information from the South China Morning Post at https://www.scmp.com/news/hong-kong/law-and-crime/article/2171092/cathay-pacific-data-leak-what-can-customers-affected-do may serve as an entry point.

However, there must be some actions taken to ensure similar incidents can not happen again.
I’m drawing from my own experience of running our own little webshop.
Being cautious where I provide my what personal data, I shall ensure proper handling of the trust put into us when customers provide their personal data to us.

  1. Only requesting the minimum required information to allow functioning is the first step.
  2. Ensuring the customer is aware what personal data we ask for and why via clearly documented privacy policies is the next.
  3. When it comes to the really, really sensitive data for payments, like credit card numbers, expiry dates, etc., we actively chose to NOT hold any credit card data and information of our customers on our own servers. Instead we opted for a payment flow where we utilise a trustworthy and trusted payment provider who’s specialised in handling such sensitive data. No customer credit card information will ever be seen by our server but only the confirmation that a transaction was executed is returned to us from the payment gateway provider so we can trigger the shipment.

How can our small experience be translated for use at Cathay Pacific and potentially other companies?

  • Well, as a starting point, be clear about your company targets.
    We are NOT in the business of collecting personal data but many companies out there have deep routed desires for collection and aggregation of personal data.
  • Up to date applications on well maintained servers help to reduce the numbers and risks of potential attack vectors (that’s for the IT department to watch over).
  • Industry best practice standards need to be in place wherever sensitive personal data is handled. Learn from other industries that have gone through such learnings already (well, some are still in the midst of it) like banking.
  • Have a defined and clear communication protocol to inform customers in case there was an incident, not only for the ISO9001 folders and audits but also apply it. This will help to keep or mend the trust in the relationship with your customers – certainly they’ll be angry as a first reaction but a professional handling will help to keep them as future customers.

To summarize:

  • timely availability of information is important
  • sugar coating is like misinformation and makes the issue potentially more worse
  • be cautious what information you provide to the monitoring service provider as this may put you in additional risk
  • companies and personal users should be cautions regarding the data they collect resp. provide and be clear on the privacy policies applied to protect such data

 

Leave a Reply