Airline Cathay Pacific has been found to have not followed data protection principles in relation to the security of passengers’ personal data, Hong Kong’s privacy watchdog said in a report published on Thursday.
Last October Cathay said data on about 9.4 million of its passengers had been accessed without authorisation, adding that it had discovered suspicious activity on its network in March 2018 and that investigations in early May last year had confirmed that certain personal data had been accessed.
The breach compromised 860,000 passport numbers and about 245,000 Hong Kong identity card numbers, Cathay had reported.
Cathay Pacific shares slumped to nine-year lows after the October announcement.
In Thursday’s report the commissioner for personal data, Stephen Kai-yi Wong, criticised the airline for “lax” data governance, pointing at its failure to identify common vulnerabilities and put in place measures to plug them.
“Cathay adopted a lax attitude towards data governance, which fell short of the expectation of its affected passengers and the regulator,” he said, adding that the airline had retained Hong Kong identity card numbers of affected passengers longer than necessary.
A statement from the airline said it was assessing the commissioner’s report, which ordered Cathay to appoint an independent data security expert to overhaul its personal data storage systems and chalk out a clear data-retention policy among other measures.