Cathay Pacific Airways Ltd., which is under fire for the world’s biggest airline data breach, said the sophisticated attacks lasted months as it took steps to shield its exposed computer network.
The attacks were most intense March through May and continued, Asia’s biggest airline said Monday in a written submission to Hong Kong’s legislature before a panel hearing this week. Although the number of successful attacks diminished, concerns remain “new attacks could be mounted,” the city-based airline said, apologizing to passengers for the incident.
“Cathay is cognizant that changes in the cybersecurity threat landscape continue to evolve at pace as the sophistication of the attackers improves,” it said. “Our plans, which include growing our team of IT security specialists, will necessarily evolve in response to this challenging environment.”
Hong Kong’s privacy watchdog said last week that it was investigating the breach the carrier disclosed seven months after detection. While the attack exposed personal information of 9.4 million passengers, including passport details, addresses and emails, Cathay Pacific said flight safety wasn’t compromised and there was no evidence the data was misused.
The carrier said it has spent more than HK$1 billion ($128 million) on its IT infrastructure and security over the past three years. Shares of the premium airline extended declines, slipping 1.5 percent as of 9:34 a.m. Tuesday in Hong Kong. The have dropped 2.3 percent since a filing disclosed the breach on Oct. 24.
The breach has prompted calls to overhaul Hong Kong’s two-decades-old privacy laws to ensure companies report any leaks quicker. For now, offenses for disclosing personal data obtained without consent from users could be subject to a fine of HK$1 million and imprisonment for five years, according to the Personal Data Ordinance. Individuals who suffer damage could also seek compensation.
(Updates with shares in fifth paragraph.)
©2018 Bloomberg L.P.