Cathay pacific could be facing a USD 500 million fine under the European GDPR
Around 4,000 times greater than allowed under Hong Kong law
Cathay Pacific just disclosed that the personal data of 9.4 million passengers was leaked earlier this year. While the maximum fine the company is facing under the Hong Kong Personal Data (Privacy) Ordinance is HKD 1,000,000 (around USD 130k), it could be up to 4000 times greater if the extraterritorial effect of the European General Data Protection Regulation (GDPR) is enforced as intended.
Hong Kong’s flagship carrier announced it had discovered unauthorised access to passenger data, including passengers’ names, nationalities, dates of birth, telephone numbers, emails, physical addresses, passport numbers, Hong Kong identity card numbers, frequent flier programme membership numbers, customer service remarks and travel history. The suspicious activity was detected in March and an investigation confirmed unauthorised access early May, which makes the disclosure timing questionable. Indeed, while the Office of the Privacy Commissioner for Personal Data only encourages notification of data breaches through a non-binding guidance, the GDPR sets a mandatory 72 hours deadline for reporting data breaches to Data Protection Authorities after the breach is confirmed.
According to the GDPR extra-territorial effects, Cathay Pacific is facing a fine that is tremendously greater than what is allowed by the local law.
DATA BREACH CASES ON THE RISE IN ASIA, ESPECIALLY IN CHINA
Just last August, one of the largest data leakage in China occurred, hitting Huazhu Hotels Group, which owns more than 10 hotel brands and manages more than 3,800 hotels across 382 mainland cities. The breach involves 130 million hotel clients and was discovered because of a post on a dark web forum, where clients’ personal data and booking information were on sale for a few bitcoins.
Last May, Meituan Dianping, the Chinese internet giant, which includes food delivery and e-commerce platforms, launched an investigation regarding a potential data breach that could expose private information of thousands of users, such as names, mobile phones and home addresses.
DATA LOSS / LEAKAGE PREVENTION MEASURES TO FOSTER CYBERSECURITY
According to the Breach Level Index website, more than 3 billion data records were leaked or compromised in the first half of 2018, a 72% increase compared to H1 2017. The main cause for data leaks is external attacks by malicious outsiders, which represents 56% of cases for H1 2018. Accidental loss is the second source of data breaches, with 34% of cases in the same period.
With increasing data leakage cases, data protection is among the key priorities for companies. Data Leakage Prevention (DLP) programs should be at the top of Chief Information Security Officers’ agenda. The program should be shaped according to the 3 main pillars of Data Protection:
Sia Partners has built strong capabilities and experience around Information Security, in particular on Data Leakage Prevention practices and GDPR requirements. Through our dedicated teams of specialized consultants, we have helped organizations to implement processes and procedures ensuring appropriate controls are in place, especially for the most critical applications. We also assist in the Third-Party Assessments, ensuring the respect of requirements for all third parties.
To know more, browse our GDPR website
And don’t hesitate to contact us, we’re only an email away.
About Sia Partners
Founded in 1999, Sia Partners is an independent global management consulting firm and pioneer of Consulting 4.0 with over 1,100 consultants and an annual turnover of USD 200 million. The Group has 20 offices in 15 countries. Through unparalleled industry expertise, Sia Partners delivers superior value and tangible results for its clients. True to its innovative approach, Sia Partners explores the possibilities offered by Artificial Intelligence, invests in data science and develops consulting bots. Sia Partners is a global partnership wholly owned by its executives.
 Even though GDPR is not meant to be retroactive, it has been confirmed that data breaches that happened before 25 May 2018 but that were kept silent until after that, will also be liable for a fine.