Opinion | After Cathay Pacific’s debacle, companies must get proactive with cybersecurity and get customers involved

Kai-Lung Hui says that as more systems become interconnected, it grows more important for companies, their customers and employees to be aware of potential vulnerabilities. Protection is effective only if it is extended to all parties

Reading Time:3 minutes

Customers who were victims of the Cathay Pacific data breach were only informed of the accident in October, even though their data may have been vulnerable since March. Photo: Getty Images

Published: 3:00pm, 30 Oct 2018Updated: 7:19pm, 30 Oct 2018

Data security and privacy have hit the headlines again. Cathay Pacific has suffered a massive data breach leading to the potential compromise of 9.4 million customers’ records. Earlier this year, British Airways disclosed that the payment card data of 244,000 customers had been compromised. Last week, it added another 185,000 to the total number affected.

Separately, fraud cases have occurred in the use of electronic direct debit authorisation (eDDA), a value-added service of the faster payment system (FPS) launched last month. eDDA is supposed to facilitate seamless direct debit payments such as account top-up. However, criminals have managed to use illicitly obtained Hong Kong ID card images and bank account numbers to wire money out of the victims’ accounts.

All of these security incidents highlight the weakness in our protection. Computer systems today are massively interconnected. Even if we have taken strong measures to protect our in-house systems storing sensitive customer data, we are still exposed to risks caused by our trading partners. According to unverified reports, the Cathay Pacific incident could have been caused by a mistake of its security consultant while conducting penetration tests. The British Airways incident could have happened because of the use of a faulty front-end programme from a third-party supplier in recording the payment card data.

Similarly, in the eDDA case, there was no problem on the payer side. The customers’ account and the banks’ systems are intact. The problem lies at the payee side, which allowed criminals to open an electronic wallet on behalf of the victim without due authentication. The criminals can then use the payer’s (that is, the victim’s) account to top up the “counterfeited” electronic wallet.

Cathay Pacific calls in the Hong Kong police to help investigate the massive data breach at the Cathay Pacific headquarters in Chek Lap Kok. The breach is rumoured to have taken place during penetration testing by a security consultant. Photo: Felix Wong

Organisations should recognise two important facts in cybersecurity. First, by extending the scope and connecting with more parties in offering a service, we are exposed to extra risks because the systems have become interdependent. You may have installed a powerful firewall or encrypted all customers’ data, but a successful phishing attack against your contractors’ employees or a faulty JavaScript from your credit card payment processing company could render all of these efforts ineffective.