HONG KONG • Cathay Pacific Airways has said it is working with 27 regulators in 15 jurisdictions to investigate a data breach that affected millions of passengers, as Hong Kong lawmakers grilled executives over how it handled the incident.
The executives yesterday did not answer repeated questions about whether the airline would compensate all affected customers or if it might face a hefty fine under new European Union privacy regulations, saying it was "too early" to comment.
Cathay has come under mounting criticism after it said last month that about 9.4 million passengers' personal data had been accessed without authorisation, seven months after it became aware of the breach.
It was not immediately clear who was behind the breach or what the information might be used for, but Cathay said there was no evidence so far that personal information had been misused.
"The incident is a crisis," company chairman John Slosar told the lawmakers. "It is the most serious one the airline has faced."
Mr Slosar again apologised for failing to protect customers' data and said he regretted that the company could not investigate the attack more quickly.
Cathay said in a document submitted to Hong Kong's Legislative Council that it first detected suspicious activity on its network in March and that the attack continued in the following months and expanded in scope.
The airline took until mid-August to conclude which passenger's data had been accessed, according to the document, and it completed the identification of the personal data that pertained to each individual passenger on Oct 24.
Lawmakers slammed the delay as a "blatant attempt" to cover up the incident and, thereby, deprive customers of months of opportunities to take steps to safeguard their personal data.
Cathay CEO Rupert Hogg explained that the company needed time to establish the nature of the attacks, contain the problem and identify stolen data, but said it "did regret the length of time" it took.
"We've learnt a lot of lessons from trying to do what we believe was right, which was to get accurate information about our customers, make sure that we knew what information pertained to them. We would do it a different way tomorrow, indeed," he said.
The company denied the data breach was a result of layoffs at its IT department last year.
Cathay said an airline restructuring had been completed and it planned to hire 1,800 staff this year.
It also said it had spent more than HK$1 billion (S$176 million) on IT infrastructure and security over the past three years.
REUTERS, AGENCE FRANCE-PRESSE