Cathay Pacific Breach: What Happened?With Details Sketchy, Analysts Weigh In on Possible Contributing Factors
In the wake of a breach at Hong Kong's Cathay Pacific airlines that involved unauthorized access to personal details on 9.4 million passengers, security experts are weighing in on factors that might have contributed to the incident. So far, the airline has provided only sketchy details.
See Also: The Global State of Online Digital Trust
In the past three years, Cathay Pacific has been making a shift away from legacy systems to the cloud, says Aloysius Cheang, executive vice president for Asia Pacific at the Center for Strategic Cyberspace + Security Science, a U.K. think tank for cyber centric leadership. "It now employs a hybrid cloud as part of its strategy to replace their legacy systems," he says.
Tom Wills, strategic advisor to TuriQ, a Netherlands based firm that advises and invests in blockchain and crypto asset related ventures, offers a similar perspective: "A migration off of legacy systems requires a complete reassessment of the company's security posture as the applicable set of threats and vulnerabilities are guaranteed to be different.
The airline is using software from Redhat to build the underlying open platform infrastructure, and it is using Amazon Web Services to hold customer-facing applications, such as online check-in system, flight schedule, fares and web hosting, as was described during AWS Summit Hong Kong in 2017, Cheang points out. "As a result of these front-end apps, I presume that the customer data will be accessible from these apps which are hosted on AWS," he says.
A database can become vulnerable either due to poor programming practices or patches not applied in a timely manner, Cheang says. "Also, unauthorized calls can be made to extract data from the database because access controls are not locked down," he adds.
Some security experts point out that the airline cut some senior staff positions in mid-2017 as part of a cost saving program. "This also included senior folks from the IT department," says Hong Kong-based Michael Mudd, managing partner at Asia Policy Partners. "This coupled with its decision to move away from the legacy systems could have led to some kind of vulnerabilities being left unaddressed," he says.
As airlines get increasingly connected to the internet, the aviation industry must take proactive steps to build security controls that will support these new business paradigms, some security experts suggest. Now that entertainment systems and other systems on planes are internet connected, risks of hacking are greater, they say.
"Airlines should be taking more proactive steps to build security controls that will support these new business paradigms, and new IT and OT infrastructure that is merging," Cheang says.
Statement From Airline
Cathay Pacific tells Information Security Media Group in a statement: "We have notified the Hong Kong Police and are notifying relevant authorities. It is not appropriate to speculate. We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have extended our customer care capabilities so that we can support affected passengers efficiently. Where possible, we are offering complimentary ID monitoring services to affected passengers."
The statement continues: "We remain vigilant to cybersecurity threats, and we continue to invest in IT security. Cybersecurity issues are a continuous threat to businesses around the world. We took and will continue to take measures to enhance our IT security. The safety and security of our people and our passengers remains our top priority."
Although the airline discovered the breach in May, it didn't disclose it until Wednesday.
Some security practitioners question why the airline took such a long time to disclose the breach and yet it has not provided more details.
"Given the blatant behavior of the management of the airline to keep this back a secret for half a year, this does not instill the necessary confidence that this airline is prepared for the new Internet world order," Cheang says.
News of the leak sent shares in Cathay, which was already under pressure as it struggled for customers, plunging more than 6 per cent to a nine-year low in Hong Kong trading.
Hong Kong's privacy commissioner, Stephen Wong Kai-yi, says his office will initiate a compliance check with the airline.
The Straits Times reports that local politicians have slammed the carrier for its delay in informing the public about the breach.
"Whether the panic is necessary or not is not for them to decide, it is for the victim to decide. This is not a good explanation at all to justify the delay," lawmaker Charles Mok tells The Straits Times.
Legislator Elizabeth Quat says the delay was "unacceptable" because it meant customers missed five months of opportunities to take steps to safeguard their personal data, The Straits Times reports.
A website, infosecurity.cathaypacific.com, provides information about the event and what affected passengers should do next.
The Next Steps
In light of the security incident, the airline should take several steps, says Nitesh Sinha, founder and CEO at Sacumen, a security product developer.
"Security solutions are built around five entities - user, device, network, application and data repository," he says. "Security review and implementation must cover all the existing security solutions and processes with respect to these five entities."
Deepen Desai, vice president of security research and threat labs at ZScaler, a cloud security company, notes: "They need to review all logs as well as review the second level of attacks. Often what happens in such cases is that they will plug the hole from where the compromise happened. However, there are multiple steps that led to this attack. Hence, it is important to trace it back."
Sinha says other important steps are:
- Implement principles such as segregation of duties and least privilege;
- Implement a defense-in-depth strategy to ensure that there is no single point of failure;
- Apply a security development life cycle program for critical applications.