If Nat King Cole had performed his 1943 hit ‘Straighten Up and Fly Right’ to a select audience today, executives from major airlines would have been sitting in the front row and might be forgiven for thinking he was offering advice on how to handle data breaches. Airline data breaches are becoming increasingly commonplace and the latest victim is Cathay Pacific. However, Cathay Pacific is hardly alone – British Airways, Air Canada and Delta Airlines have all suffered data breaches as a result of a cyber attack.
However, what is interesting to note about the Cathay Pacific breach is that it had an immediate and material effect on the company’s net worth. In short the shares which are listed on the Hong King Stock Exchange simply fell off a cliff. Investors were quick to react as Cathay Pacific lost 3.8 percent of its share value ($201 million in market value ) in Hong Kong when the details of the breach were revealed – the biggest loss since January 2017.
The ailing operation has been steadily losing ground as far as share value is concerned but the data breach is another unwelcome nail in what seems to be a coffin constructed of lax management and increased competition.
“At this point, we believe it is uncertain if Cathay Pacific would be liable to any fines imposed by government authorities for such a breach,” Geoffrey Cheng, an analyst at Bocom International Holdings Co., wrote in a research note. “However, we expect the share price jitters to linger on for a while.”
Airlines as soft targets
The question now needs to be asked – are cybercriminals identifying airlines as soft targets due to lax cyber security?
When Cathay Pacific revealed the details of the breach, British Airways almost simultaneously issued an update regarding it’s own data breach which occurred in September 2018. The number of people affected by that hacking attack were increased by a further 77,000. Those people join a vast number of others – in total that breach affected 380,000 payments according to British Airways. The payment details that were compromised include credit card CVV codes. The latest increase in the numbers affected just adds to the urgency of addressing data breaches that affect airlines.
“The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card,” the airline stated. British Airways also said that, of the previous 380,000 customer payment card details announced, ‘only’ 244,000 were affected.
Delta Air Lines has also been hit by hackers. The airline issued a statement in April revealing that a cyber attack on a contractor last year exposed the payment information of “several hundred thousand customers.”
Paul Bischoff, privacy advocate at Comparitech.com had this to say – “With British Airway’s disclosure of hackers carrying out a malicious attack on its website and mobile app and Air Canada suffering a similar fate, there’s nothing like a fresh wave of data breaches to drive home the importance of the security of customer data.”
It appears that Cathay Pacific did not learn from the example of British Airways or Delta Airlines.
Airline data breaches the tip of the iceberg
There are two sectors that seem increasingly attractive to hackers in search of personal information. The first of these is the financial sector – and now the aviation sector is also becoming a target. The reason is not difficult to fathom. Both of these sectors are custodians of vast amounts of sensitive data.
With 4,358 million passengers (year to date in 2018) the data that airlines gather is staggering – and this makes the industry a prime target for hackers.
The Cathay Pacific story hit headlines due to the magnitude of the breach and the staggering number of individuals affected – this breach makes British Airways’ experience look almost enviable . An official statement revealed that the personal data of 9.4 million Cathay Pacific customers had been accessed. This is by far the worst data breach affecting an airline.
Passenger names, nationalities, dates of birth, contact details, passport numbers, Hong Kong ID numbers, frequent flyer program membership numbers, as well as customer service remarks and historical travel information. were seized by the hackers. Cathay Pacific also revealed that 403 expired credit card numbers and 27 active credit card numbers with no CVV were accessed.
What is most worrying about the airline’s reaction to the breach is just how long it took to issue a public statement and inform customers of the unauthorized access. The breach was discovered seven months ago. Cathay Pacific’s CEO, Rupert Hogg, followed the lead of British Airways’ CEO Alex Cruz in issuing an apology to customers at the end of October. However, there hasn’t been a clear statement on why Cathay Pacific waited so long before providing details on the breach.
In the case of Cathay Pacific, the announcement by Chief Executive Officer Rupert Hogg that he was ‘truly sorry for the concern this may have caused [customers]’ would be of little comfort to those affected.
Fasten your seat belts
Airline data breaches are going to get worse before they get better. Airlines are simply too attractive a target for cybercriminals who want to harvest personal information. It is becoming increasingly clear that airlines need to drastically change the way they treat and protect data.
Hong Kong’s privacy commissioner expressed serious concern over the leak and said the office will initiate a compliance check with the airline. Lam Cheuk-ting, a member of the Legislative Council’s security committee, criticized Cathay and said that the airline should’ve taken the initiative the very first day it found out. Cathay’s Chief Customer and Commercial Officer Paul Loo said the airline wanted to have accurate grasp on the situation and didn’t wish to “create unnecessary panic.” However, Cathay’s response time remains extremely worrying.
It is apparent that airlines will have to drastically address cyber security issues – not only how they protect customers data – but also how they respond to data breaches. There is no doubt that airlines will continue to be prime targets for hackers and a more aggressive and strategically sound approach to protecting data is urgently required.