Cathay Pacific data leak shows gap in HK laws: Experts

The carrier announced last Wednesday that its computer network was compromised at least seven months ago. It has since come under fire for the time it took to disclose the breach.
The carrier announced last Wednesday that its computer network was compromised at least seven months ago. It has since come under fire for the time it took to disclose the breach.PHOTO: AGENCE FRANCE-PRESSE

Formal rules on timely disclosures of leaks needed to update old laws

Cathay Pacific's data breach has exposed a gap in the city's laws, with experts suggesting that existing rules be updated to ensure a more timely declaration.

Currently, disclosure of data leaks in Hong Kong is not mandated and is "a matter of best practice", said Mr Olli Jarva, managing consultant of the software integrity group at tech firm Synopsys.

Law Professor Stuart Hargreaves from The Chinese University of Hong Kong said the incident shows that the city's privacy laws are outdated and need a refresh.

The Hong Kong-listed company had announced last Wednesday that its computer network was compromised at least seven months ago, exposing the personal data and travel histories of some 9.4 million clients worldwide.

In a filing to the Hong Kong Stock Exchange, the airline said about 860,000 passport numbers and 245,000 Hong Kong identity-card numbers were exposed.

The company had detected suspicious activity on its network in March and confirmed the breach in early May, but it only made this known last week.

The airline has come under fire for the time it took to disclose the breach but Cathay Pacific said the incident required considerable investigation, given the complexity of the data involved.

"We have no evidence that any personal information has been misused. No one's loyalty or travel profile was accessed in full and no passwords were compromised," the carrier added.

 
 

Prof Hargreaves said Hong Kong's privacy law came into effect in 1995 and was based upon the European Union's (EU's) previous privacy law, which was known as the Data Protection Directive.

"But since then, the EU has significantly modified... but Hong Kong is still using this old model based upon threats to privacy that were common in the 1980s and 1990s," he added.

In the EU, all member countries must comply with the General Data Protection Regulation that kicked in in May this year, stipulating that companies have to report data breaches within 72 hours of identification.

Within the region, Australia, South Korea and the Philippines have formal notification requirements, said Mr Tony Jarvis, chief technology officer for Asia-Pacific, Middle East and Africa at Check Point Software Technologies.

He added that mainland China, Indonesia and Taiwan have basic requirements in place, "but with very few details around how such breaches should be reported and how quickly this should be done".

Meanwhile, Singapore is in the process of changing its law to mandate that businesses report data breaches, noted Mr Pankaj Thareja, regional cyber-security consultant at insurer FM Global.

Companies listed in Singapore are covered by the continuous disclosure obligation and a massive data breach would be something that "should be disclosed immediately", said corporate governance advocate Mak Yuen Teen.

"Perhaps listing rules (in Hong Kong and Singapore) need to be relooked to include major data breaches such as the Cathay Pacific case as one of the specific items that should be disclosed immediately," Associate Professor Mak suggested, adding that there may be circumstances where a delay in disclosure may be justified, such as when investigations can be compromised.

Cyber-security experts say when there is a breach, it is vital for companies to act swiftly.

Mr Sanjay Aurora, Asia-Pacific managing director of cyber-defence firm Darktrace: "When it comes to cybercrime, time is of the essence. Within the criminal ecosystem, threat-actors leverage underground forums, IRC chats, and the DarkWeb to sell and re-use stolen private information."

On Tuesday, Hong Kong's Chief Secretary, Mr Matthew Cheung, described the issue as "very serious" and called on Cathay Pacific to fully cooperate in the government probe into the data breach.

The police and the privacy commissioner are both investigating the case, local broadcaster RTHK reported.

A version of this article appeared in the print edition of The Straits Times on November 01, 2018, with the headline 'Cathay Pacific data leak shows gap in HK laws: Experts'. Print Edition | Subscribe