Cathay Pacific’s unpatched decade-old vulnerability led to 2018 breach
The Hong Kong Privacy Commissioner for Personal Data Stephen Kai-yi Wong released a report [PDF] on Thursday detailing his findings relating to the Cathay Pacific breach disclosed in October that affected 9.4 million people.
In his report, Wong spelled out how a pair of groups had targeted the airline, with the first dropping a keylogger onto a reporting system in October 2014 that harvested credentials and allowed them to move laterally through the network and gather other credentials before ceasing on March 22, 2018. The report said Cathay is not aware of how this group entered the system.
The second group exploited a decade old vulnerability on an internet facing server that allowed the group to bypass authentication and access administration tools residing on the server.
Cathay claimed it was unable to update the system due to an application involved being incompatible with an Airbus fleet manual application. However, Wong also detailed Cathay had an annual vulnerability scanning exercise, and rebuffed claims from the airline that security software could not detect the vulnerability due to signature not being released by pointing to the relevant signatures appearing in 2013.
“Cathay’s vulnerability scanning exercise for the internet facing server at a yearly interval was too lax in the context of effectively protecting its IT System against evolving digital threats,” Wong said.
Wong also criticised Cathay for allowing administration tools to be accessed from the internet, and while it had implemented two-factor authentication, it was restricted to IT support workers.
The size of Cathay Pacific’s IT infrastructure was laid out by its chair John Slosar in November 2018.
“Our systems include 1.3 billion files that we backup, 470 databases, 4,500 servers, an enormous network, about 600 applications and we send and receive some 4.5 million emails per day,” he said.
“Significantly, we also block about 16,000 external emails containing viruses every month.”
The report said Cathay had over 120 systems containing personal data, of which four were hit in the pair of attacks: A customer loyalty system; a database for web applications; a reporting system; and a “transient database” for members to claim “non-air rewards”.
Wong said Cathay should have had an inventory of personal data to cover all its systems.
The further report stated a total of 41 user credentials were taken — including administrator, web, and service accounts — that allowed the attackers to plant malware and other credential harvesters in Cathay’s network.
Cathay was also called out for leaving unencrypted database backups in production servers during a migration.
“Cathay explained that saving the database backup files in the production server was the most practicable way to facilitate the migration for reducing the required migration time and enabling faster recovery and fallback time in relation to migration issues,” the report said.
“The Commissioner finds that Cathay should not have produced unencrypted database backup files to facilitate migration of data centre without adopting effective security controls, thus exposing the personal data of the affected passengers to attackers.”
According to the report’s timeline, the first detection suspicious activity was on March 13, when a brute force attack occurred that led to 500 staff having their accounts locked. An internal investigation was created, which discovered the October 2014 access, as the company detected other activities throughout April and May, up to August 28.
It took Cathay until October 2018 to disclose the breach, and claimed it was due to wanting to “fully and accurately understand the scope and specific details of the personal data that had been taken from each affected passenger so as to be able to provide a meaningful, individualised notification to them”, however Wong said notification and remedial steps for consumers could have happened sooner.
Thanks to what Cathay claimed were partial compromises of the affected databases, no passenger had their profile accessed in full, but every customer in the 9.4 million accounts had their name disclosed, 61% had flight information accessed, email address access occurred to 53%, passport number was taken for 9%, date of birth for 8%, and various identity card numbers for 6%.
Cathay said 430 credit cards numbers were taken, but 403 of that number were expired.
The airline was also hit in May 2017 with another incident of unauthorised access, from which Wong said the airline should have learnt to respond better.
“The Commissioner finds that risk alertness being low,Cathay did not take reasonably practicable steps to reduce the risk of malware infections and intrusions to its IT system after the earlier security incident in 2017,” Wong said.
As a result of the report, Cathay has been hit with an enforcement action that sees it needing to “overhaul the systems containing personal data” to make sure they are free of malware and vulnerabilities, implement proper multi-factor authentication, scan for vulnerabilities more regularly, have regular independent security tests completed, and create a “clear data retention policy” within the next six months.
“It is quite clear that contraventions aside, Cathay adopted a lax attitude towards data governance, which fell short of the expectation of its affected passengers and the regulator,” Wong said.
Jurisdictions agree to exchange information in data breach investigations.
Frequent flyer member successfully logs into her Krisflyer account using her user ID and password, but sees personal details of someone else, including the booking reference for an upcoming trip, recent activities, and personal email.
Despite the risks, 90% of business leaders said they lack the resources to defend against a cyber attack, according to a Nominet report.
There have been some major security breaches in recent years, according to a recent Bitglass report, and those breaches have cost companies billions of dollars along the way.