The Office of the Privacy Commissioner issued an investigation report on the personal data of about 9.4 million and Cathay Pacific Airways (0293) and Dragonair passengers last year, which were not authorized to be accessed or consulted. The Privacy Commissioner, Mr Wong Ching-yee, pointed out that Cathay Pacific violated the data protection principles for personal data security and data retention under the Personal Data (Privacy) Ordinance and sent an enforcement notice to Cathay Pacific to instruct Cathay to correct and prevent the recurrence of compliance.
Huang Jier pointed out that in addition to violations, Cathay was obviously taken lightly in data governance and failed to meet the expectations of affected passengers and regulatory agencies.
Government: No reasonable steps have been taken to protect passengers’ personal data
Investigation report issued by the Privacy Commissioner. A spokesman for the Constitutional and Mainland Affairs Bureau responded, “The Government has noted that the Office has pointed out in the summary of the investigation report that Cathay Pacific has not taken all reasonable and practicable steps in the management of loopholes, the use of effective technical security measures and the data governance. To protect the personal data of the affected passengers from unauthorised persons, the Office has issued a series of enforcement orders to Cathay Pacific. The Government urges Cathay to comply with the Directive and take immediate remedial measures.
“In the report, the Office has stated that the existing legislation does not require the organisation to notify the disclosure of personal data. The Government will consider setting up a mandatory personal data leakage notification mechanism when studying the amendment of the Personal Data (Privacy) Ordinance. Work closely with the Office and consult relevant stakeholders including the Legislative Council in the process of recommending amendments.”
Cathay again apologizes for the incident
Cathay subsequently issued a notice stating that the report of the Hong Kong Personal Data Privacy Commissioner on the incident had been noted. The company is currently considering the report carefully with the consultant and will decide whether it is appropriate to make any detailed public response to the report after consideration.
The company wishes to express its regret and sincere apology for this incident. The company has taken steps to improve its IT security, education and employee awareness, and incident response agility in data governance, cybersecurity and access control. In terms of IT infrastructure and security, significant expenditures have been placed in the past three years and investment in these areas will continue.
Cathay Pacific Airways announced in October last year that some of the passenger information of the company and its wholly-owned subsidiary, Dragonair Limited, had been unauthorised for access, affecting approximately 9.4 million passengers. However, the company had discovered suspicious activities in the system for the first time in March of that year, but there had been no public incidents, and the incident was only explained half a year later.