Tuesday, November 5, 2024

Cathay’s Massive Data Breach Exposes Undetected ESG Risk

Must read

Cathay Pacific, Hong Kong’s de facto flagship carrier, made an announcement on 24 October regarding a data breach incident which involves the personal information of over 9.4 million passengers.

As mentioned in the announcement, the IT security team of Cathay Pacific has found an unauthorised access to its information system, and the information being accessed includes but is not limited to passengers’ name, nationality, date of birth, phone number, email, address, passport number, identity card number, and mostly importantly, credit card numbers.

Moreover, it is discovered and criticised that the data leakage incident of Cathay Pacific has happened long time ago in early March 2018 and was internally confirmed in May, but the company failed to report to the authorities and disclose to the general public at an earlier stage.

However, despite the seriousness of the incident, Cathay Pacific is not subjected to local legal punishment or penalty since the requirement of reporting on data breaches in Hong Kong is only on voluntary basis, and companies are not obliged to report to the Privacy Commissioner for Personal Data, Hong Kong. It is advised that the government should adopt laws and regulations similar to that of the European Union’s General Data Protection Regulation which demands companies to report on breaches within 72 hours, so as to minimise any potential loss of companies and customers.

As the use of internet becomes more and more common around the world, the issue of cybersecurity has come under the spotlight. Scrutinising the company’s latest sustainability report, the term “data security” does not even appear once. One might think there is no accident that the carrier has suffered from the recent data hack.

Cathay Pacific is not the only company involved in data breach incidents as many other big companies such as Facebook, Google and Uber, have reported similar cases.

Companies should put more efforts in improving their data security systems, not only for the purpose of protecting business interest, but also for the sake of the general public.

- Advertisement -spot_img

More articles

- Advertisement -spot_img

Latest article