Hong Kong’s privacy commissioner has launched an investigation into the Cathay Pacific airlines data breach that exposed the data of 9.4 million of its customers.
Privacy Commissioner for Personal Data (PCPD) Stephen Kai-yi Wong will check if the company, along with its Hong Kong-based subsidiary Dragon Air, broke any compliance regulations, particularly the fact that it took Cathay more than seven months to reveal to the victims and the public that the breach took place. The PCPD has received 89 complaints relating to the Cathay breach.
“The compliance investigation is going to examine in detail, amongst others, the security measures taken by Cathay Pacific to safeguard its customers’ personal data and the airline’s data retention policy and practice,” Wong said in a statement.
In October Cathay reported the breach. The data exposed included passengers names, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer program membership number, customer service remarks, and historical travel information. Additionally, 430 credit cards were accesses, of these 403 were expired and 27 active, but no CVV numbers for the latter were exposed.
The PCPD has a wide range of powers it can invoke during the course of an investigation. This includes being empowered under the Ordinance to summon witnesses, enter premises, require them to furnish evidence, and carry out public hearings in the course of a compliance investigation.