IT Experts and Cathay Pacific Airways warned passengers to be more extra careful against phishing attempts, as well as suspicious links following the massive data leak of the airline. On Wednesday night, the city's flagship carrier said the data of 9.4 million passengers were accessed illegally. The breach was detected back in March was and was confirmed in early May.
"We are aware that attempted phishing is taking place, and would like to remind people that emails related to this data security event will only be sent from infosecurity@cathaypacific.com," the airline wrote on its website, and added passengers should not click any suspicious links to data monitoring services.
According to the South China Morning Post, phishing activities were disguised messages sent through social media or emails using the address or the website which likely similar to the reputable sender - which is Cathay Pacific in this case. Phishing messages may contain links that will direct a user to a suspicious website where it requires submission of sensitive and personal information or malware that needs to be downloaded.
Wilson Wong Ka-wai, who is the Head of Hong Kong Computer Emergency Response Team Coordination Centre at the Productivity Council, said many users are affected in this breach so they might receive emails or calls appearing to represent the company. He added that people should be more careful in giving and handling financial transactions that may also include personal information.
The airline revealed that 27 credit card numbers with no card verification value and 403 expired credit card numbers had been compromised, as well as almost 860,000 passport numbers and 240,000 Hong Kong ID card numbers. More than half the leaked data included names, email addresses, phone numbers. And though there was no evidence that passwords, Asia Miles or Marco Polo Club account information had been illegally accessed.
Managing director of Network Box Corporation Michael Gazeley noted it's not surprising that there might be more phishing activities since hackers might play on the fears of the customers. He said that, in Cathay Pacific's case, 'spear phishing' is plausible wherein the stolen details will be used to customize phishing emails - making them believable.
Meanwhile, in the latest General Data Protection Regulation (GDPR) of the European Union, companies should report any data breach within 72 hours. Professor Lau Wing-cheon from the Chinese University department of information engineering also said a new law must require companies to notify affected customers and regulators "within a reasonable time".
