Editorial : Cathay Pacific's data breach incident

【明報專訊】THE personal data of about 9.4 million passengers of Cathay Pacific and its subsidiary Cathay Dragon was "accessed without authorisation" in the worst leak of passenger data in the history of the international airline industry. Instead of notifying the authorities and the public as soon as possible, the company delayed announcing the incident for nearly six months. This is unacceptable. Hong Kong's privacy ordinance is outdated and a lot of corporations are not vigilant enough about cyber security. The government should amend the law as soon as possible to introduce heavy penalties and urge corporations to enhance their cyber security to protect the personal data of citizens.

Cathay Pacific is a big corporation that has been based in Hong Kong for over 70 years. Its cyber security is expected to be impregnable. The incident has left all who have flown with the airline worried. The way Cathay's management handled the incident afterwards was even worse. The company detected suspicious activities last March and confirmed in May that personal data of its passengers had been stolen. However, the company only made public the incident the evening before last. The public was kept in the dark all these months.

The explanation that Cathay Pacific has given is that the investigation took time, and to avoid creating "unnecessary panic", they wanted to find out what had happened so that they could take proper follow-up action and make necessary arrangements. It is true that it was hard for Cathay Pacific to raise the alarm immediately last March just because "abnormalities" were detected without fully understanding what had happened. However, the company must respect the public's right to know. When the company received confirmation in May that passengers' personal data had been leaked and knew roughly who were affected, it should have notified the passengers promptly instead of waiting for so many months before disclosing the incident. Even though Cathay Pacific has reassured the public that there is no evidence that any personal data has been misused, it does not mean that the affected citizens' worries can be put to rest.

In Hong Kong, the awareness of cyber security is very low. The personal data of 380,000 customers of Hong Kong Broadband was stolen not long ago, and now it is Cathay Pacific. This shows that Hong Kong companies are not vigilant enough about cyber security. While the performance of big corporations is far from satisfactory, the situation of small- and medium-sized enterprises is even more worrying. Last year, Cathay Pacific laid off a number of employees from its information technology department. For now, it is hard to judge whether this has affected the cyber security work of the company and sowed the seeds of the data leak. However, the fact that information technology departments are often targeted in redundancy plans of local companies reflects corporations' cavalier disregard for cyber security.

The government has been keen to promote innovation and technology, but Hong Kong's law regarding technology and privacy is outdated. The European Union's new General Data Protection Regulation stipulates that a company must report any major data breach within 72 hours and the penalty for non-compliance is up to 4% of a company's annual revenue worldwide. In contrast, Hong Kong's Personal Data (Privacy) Ordinance does not require a company to report a data breach, and disclosure is entirely voluntary. Corporations therefore do not have an incentive to spend money on improving cyber security. The Personal Data (Privacy) Ordinance was enacted 21 years ago. Many of its provisions are already out of date and do not meet the needs of the cyber age. To prevent the Office of the Privacy Commissioner for Personal Data from becoming a toothless tiger, the government must amend the ordinance as soon as possible to strengthen the reporting mechanism and introduce heavier penalties.

明報社評2018.10.26:私隱外泄延宕通知 國泰愧對乘客市民







impregnable : strong and impossible to defeat or change

put sth to rest : to stop something by showing it is not true

cavalier : not caring enough about something important or about the feelings of other people

上 / 下一篇新聞