More from

Cathay Pacific Data Breach Probed by Hong Kong's Watchdog

Updated on

Cathay Pacific Data Breach Probed by Hong Kong's Watchdog

  • Regulator looking if carrier violated data protection rules
  • Privacy Commissioner has received scores of complaints
Photographer: Paul Yeung/Bloomberg
Photographer: Paul Yeung/Bloomberg

Hong Kong’s privacy watchdog is investigating Cathay Pacific Airways Ltd. after the carrier last month disclosed the world’s biggest airline data breach that exposed personal information of 9.4 million customers.

The compliance probe will examine security measures taken by Cathay Pacific to safeguard its customers’ private data and the airline’s information retention policy and practice, the city’s Privacy Commissioner for Personal Data Stephen Kai-yi Wong said in a statement late Monday. The regulator is aiming to determine if the company violated laws, he said.

The watchdog said it had received scores of complaints linked to the data breach, which Cathay Pacific revealed in a stock exchange filing seven months after detecting the violation. While passports, addresses and emails were exposed, flight safety wasn’t compromised and there was no evidence any information has been misused, Asia’s biggest international carrier said, without revealing details of the origin of the attack.

The stock has rebounded in Hong Kong, paring all losses since the revelation on Oct. 24. Shares rose as much as 1.9 percent on Tuesday.

Millions of Passengers Hit in Worst Ever Airline Data Hack

The hack has prompted calls to overhaul Hong Kong’s two-decades-old privacy laws to ensure companies report any leaks on a timely basis. For now, offenses for disclosing personal data obtained without consent from users could be subject to a fine of HK$1 million ($127,630) and imprisonment for five years, according to the Personal Data Ordinance. Individuals who suffer damage could also seek compensation.

"The Cathay Pacific incident has highlighted the ineffective reality of our privacy law," local lawmaker Charles Mok said on a radio program last week. The commissioner “has no teeth,” nor does he have the power to conduct criminal investigations or prosecute, Mok said.

The privacy commissioner began the compliance check after the latest information shared by Cathay Pacific offered “reasonable grounds” to believe there may have been a violation of rules, the regulator said.

Cathay Enlists Firm Once Sued for Data Breach to Help After Hack

A Cathay Pacific representative said the airline is “studying the statement of the Office of the Privacy Commissioner and will continue to cooperate fully with the authorities.”

As of late Nov. 5 in Hong Kong, the privacy commissioner’s office received 108 inquiries and 89 complaints related to the data breach, according to the statement.

(Updates with calls to overhaul rules in fifth paragraph.)