book a virtual meeting Search Search
why mk
find out more
corporate social responsibility
find out more
macpherson kelley foundation
find out more
why choose mk?
find out more
are you a graduate?
find out more
work with us
view vacancies
brisbane

one eagle – waterfront brisbane
level 30, 1 eagle street
brisbane qld 4000
+61 7 3235 0400
get directions find a lawyer
dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600
get directions find a lawyer
melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900
get directions find a lawyer
sydney

level 21, 20 bond st,
sydney nsw 2000
+61 2 8298 9533
get directions find a lawyer

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

Home > News & Insights > Cathay Pacific’s Recent Data Breach Proves Data Breaches Are Inevitable: Is Your Business Prepared?

Cathay Pacific’s Recent Data Breach Proves Data Breaches Are Inevitable: Is Your Business Prepared?

01 November 2018
mitchell willocks
Read Time 5 mins reading time
Kelly Dickson managing principal lawyer - dandenong, commercial
Mark Metzeling principal lawyer, commercial

Last week, Hong Kong airline Cathay Pacific announced that it was affected by a data breach which concerned the information of up to 9.4 million people. The major airline further announced that the breach was detected in March and confirmed in early May of this year, some seven months before the incident was reported to the affected individuals.

It gets worse – the breached data included highly sensitive information, including passport numbers, full names of passengers, their nationalities, dates of birth, telephone numbers, email and physical addresses, identity card numbers, and historical travel information.

This recent data breach has caused many to suggest that if a major international airline like Cathay Pacific (with presumably close to the best cybersecurity technology in place) can be affected by this kind of data breach, it is inevitable that other companies will eventually be affected by similar breaches.

Companies should be concerned. Data breaches in one form or another are likely inevitable. Cyber security experts now widely consider that data breaches are a matter of “when”, not “if”.  It is how businesses protect data and respond in the event of a breach that can prevent businesses from being subject to major penalties under Australian and international privacy laws (and prevent major reputational damage).

Had the airline been subject to Australia’s privacy laws, it would potentially be liable to fines of up to $2.1 million for failing to report the breach within the required period. Under Europe’s recently implemented General Data Protection Regulation (GDPR) laws, the potential penalties would be much higher. For example, Facebook may be facing a fine of up to $1.63 billion for recent claims regarding its failure to comply with the GDPR.

It is unclear why Cathay Pacific failed to report the breach within the required time limit and kept its customers in the dark. However, it appears that the airline may escape significant penalties in this instance, as the breach was discovered about three months before the GDPR laws came into force on 25 May 2018.

Australia’s data breach laws require entities to notify the Office of the Australian Information Commissioner and the affected individuals as soon as practicable after an eligible data breach occurs. The Commissioner suggests that this period should not be more than 30 days. However, in practical terms, it is widely accepted that this period should not be longer than 72 hours after the entity becomes aware of the breach.

This means you need to be prepared for a potential breach and have a plan in place.

What Can We Learn from Cathay Pacific?

Businesses need to be prepared for a data breach by having the proper policies and procedures in place to prevent a data breach, and how to deal with and mitigate any damage arising from a data breach.

Cathay Pacific recovered from its data security event by focusing on two key stakeholder relationships: customers and regulators.

Customers

The Cathay Pacific breach isn’t the first major airline data breach, but it is undoubtedly one of the largest. In responding to the breach, the airline created a specific microsite for the data breach and has suggested that customers secure their data by taking precautionary measures, such as changing their passwords and potentially replacing their passports.

In addition to complying with mandatory reporting obligations, these steps also assist with mitigating much of the potential brand damage that can wreak havoc for a business in such a competitive industry.

Regulators

Cathay Pacific alerted regulators around the world in the locations that the affected people are residents.

Many national regulators have the power to impose financial penalties on businesses which are deemed to have failed to take reasonable steps to protect the data they hold.

The risk of penalties means it is more imperative than ever that businesses do not retreat in the event of a data breach. Instead, businesses must actively collaborate with regulators to reduce the damage that could be done with the stolen data and provide as much information as possible for government agencies to detect the party or parties behind the breach.

Key Takeaways

  1. Do not assume that a data breach will not happen to your business and ensure that your business is prepared to deal quickly with such an event;
  2. At the very least, conduct a privacy compliance audit and prepare a data breach response plan if you haven’t done so recently;
  3. Be aware of your reporting obligations and be prepared to collaborate with regulators throughout the process in the aftermath of a data breach; and
  4. Take steps to mitigate damage as soon as possible.

If you would like to find out more about preparing for or addressing a data security event, please get in touch with us.

This article was written by Mitchell Willocks, Lawyer – Commercial. 

Kelly Dickson managing principal lawyer - dandenong, commercial
Mark Metzeling principal lawyer, commercial

more
insights
03 April 2024

IP assets spark estate battle between brothers

read more
23 February 2024

Proposed PPS Framework Reform

read more
08 February 2024

New cyber security rules on the way for China

read more

stay up to date with our news & insights

Cathay Pacific’s Recent Data Breach Proves Data Breaches Are Inevitable: Is Your Business Prepared?

01 November 2018
mitchell willocks

Last week, Hong Kong airline Cathay Pacific announced that it was affected by a data breach which concerned the information of up to 9.4 million people. The major airline further announced that the breach was detected in March and confirmed in early May of this year, some seven months before the incident was reported to the affected individuals.

It gets worse – the breached data included highly sensitive information, including passport numbers, full names of passengers, their nationalities, dates of birth, telephone numbers, email and physical addresses, identity card numbers, and historical travel information.

This recent data breach has caused many to suggest that if a major international airline like Cathay Pacific (with presumably close to the best cybersecurity technology in place) can be affected by this kind of data breach, it is inevitable that other companies will eventually be affected by similar breaches.

Companies should be concerned. Data breaches in one form or another are likely inevitable. Cyber security experts now widely consider that data breaches are a matter of “when”, not “if”.  It is how businesses protect data and respond in the event of a breach that can prevent businesses from being subject to major penalties under Australian and international privacy laws (and prevent major reputational damage).

Had the airline been subject to Australia’s privacy laws, it would potentially be liable to fines of up to $2.1 million for failing to report the breach within the required period. Under Europe’s recently implemented General Data Protection Regulation (GDPR) laws, the potential penalties would be much higher. For example, Facebook may be facing a fine of up to $1.63 billion for recent claims regarding its failure to comply with the GDPR.

It is unclear why Cathay Pacific failed to report the breach within the required time limit and kept its customers in the dark. However, it appears that the airline may escape significant penalties in this instance, as the breach was discovered about three months before the GDPR laws came into force on 25 May 2018.

Australia’s data breach laws require entities to notify the Office of the Australian Information Commissioner and the affected individuals as soon as practicable after an eligible data breach occurs. The Commissioner suggests that this period should not be more than 30 days. However, in practical terms, it is widely accepted that this period should not be longer than 72 hours after the entity becomes aware of the breach.

This means you need to be prepared for a potential breach and have a plan in place.

What Can We Learn from Cathay Pacific?

Businesses need to be prepared for a data breach by having the proper policies and procedures in place to prevent a data breach, and how to deal with and mitigate any damage arising from a data breach.

Cathay Pacific recovered from its data security event by focusing on two key stakeholder relationships: customers and regulators.

Customers

The Cathay Pacific breach isn’t the first major airline data breach, but it is undoubtedly one of the largest. In responding to the breach, the airline created a specific microsite for the data breach and has suggested that customers secure their data by taking precautionary measures, such as changing their passwords and potentially replacing their passports.

In addition to complying with mandatory reporting obligations, these steps also assist with mitigating much of the potential brand damage that can wreak havoc for a business in such a competitive industry.

Regulators

Cathay Pacific alerted regulators around the world in the locations that the affected people are residents.

Many national regulators have the power to impose financial penalties on businesses which are deemed to have failed to take reasonable steps to protect the data they hold.

The risk of penalties means it is more imperative than ever that businesses do not retreat in the event of a data breach. Instead, businesses must actively collaborate with regulators to reduce the damage that could be done with the stolen data and provide as much information as possible for government agencies to detect the party or parties behind the breach.

Key Takeaways

  1. Do not assume that a data breach will not happen to your business and ensure that your business is prepared to deal quickly with such an event;
  2. At the very least, conduct a privacy compliance audit and prepare a data breach response plan if you haven’t done so recently;
  3. Be aware of your reporting obligations and be prepared to collaborate with regulators throughout the process in the aftermath of a data breach; and
  4. Take steps to mitigate damage as soon as possible.

If you would like to find out more about preparing for or addressing a data security event, please get in touch with us.

This article was written by Mitchell Willocks, Lawyer – Commercial.