A major cyberattack that saw the data of 9.4 million Cathay Pacific Airways customers stolen by hackers was far worse than the airline has previously admitted.
Rather than the “suspicious activity” it said it had discovered on its billion-dollar computer network in March, the carrier revealed on Monday that it had been the target of an intense attack lasting more than three months.
Cathay made the shock admission in a written submission to Hong Kong lawmakers ahead of a committee hearing to question the airline’s management team on Wednesday morning.
Such was the intensity of the attack, Cathay said internal and external IT security experts had to focus solely on containment and prevention throughout March, April and May.
The airline also revealed it had spent HK$1 billion (US$128 million) over three years on IT infrastructure and security, but it was not enough to stop what it called “sophisticated attackers” repeatedly targeting and breaching its system.
Cathay’s investment in its IT system included spending on two large data servers and cloud computing, and came during a period when it generated HK$292 billion (US$37 billion) in revenue.
On October 24, the airline revealed it had suffered a major data breach seven months earlier, and said it had taken steps to investigate whether customer data had been compromised.
It took until mid-August for investigators to discover what hackers had been able to steal, and how it had affected customers.
“Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter,” the airline said in its statement. “These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention.”
Cathay’s revelations contradict statements it made earlier about what it knew about the cyberattack, and when.
Questioned on a radio show a day after revealing the hack, Paul Loo Kar-pui, the airline’s chief customer and commercial officer, said the company was not able to confirm if its IT system had been breached until early May.
At the time, he did not mention the fact the firm had been subjected to attacks for more than three months.
The hack has prompted a formal investigation by the Hong Kong privacy watchdog, while a police investigation is ongoing.
“The investigation was complex, longer than what we would have wished, and we would have liked to have been able to provide this information sooner,” the airline said.
Cathay, one of Asia’s largest international carriers, has been roundly criticised for not telling customers about the hack immediately. On Monday it repeated expressions of “great regret” and “sincere apologies” to the affected passengers, and hoped to “continue to earn their confidence and trust”.
“Throughout our investigation into this incident, our foremost objective and primary motivation has been to support our affected passengers by providing accurate and meaningful information,” the statement said.
Lawmaker Charles Mok, representing the IT sector, said the company had missed three opportunities over the course of seven months to go public.
“March, May, August they missed all these opportunities to report it,” said Mok, who was unequivocally critical of the airline’s briefing note given to the Legislative Council.
“I think the answers are very vague… they didn’t elaborate.”
Information accessed by the hackers included passengers’ names, nationalities, dates of birth, telephone numbers, email and home addresses, frequent flier programme membership numbers, passport numbers, Hong Kong ID card numbers and expired credit card numbers.
Of the 9.4 million people affected, customers included members of the Asia Miles loyalty programme, the Marco Polo Club frequent flier scheme, as well as non-member passengers.
Cathay CEO Rupert Hogg, chairman John Slosar and Loo, who is responsible for the airline’s IT division and chairman of Asia Miles, are expected to attend the committee hearing on Wednesday.
Additional reporting by Karen Zhang, Alvin Lum and Simone McCarthy