56 comments

[ 2.8 ms ] story [ 105 ms ] thread
>data of about 9.4 million passengers of Cathay and its unit Hong Kong Dragon Airlines Limited had been accessed without authorization.

>860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed in the breach.

Those numbers don't seem to add up to anything close to 9.4 million. Feel like I'm missing something.

My assumption is a bunch of "less critical" info on ~8m pasengers was accessed (phone numbers? names?), and then ~1m had passport or credit card numbers leaked, and they itemised the "more important" ones explicitly.

It doesn't make a lot of sense however I parse it, but that's the only thing that makes the numbers work.

SCMP reports: "Information consists of passengers’ names, nationalities, dates of birth, identity card numbers and historical travel details." So for the majority it'll be one or more of those data sets.
I wonder how long until companies start regarding customer data as a liability (and a risky one at that), rather than an asset.
When CEOs start getting jailed. CEOs are ultimately responsible. Especially if they are going to justify high salaries for themselves. Fines mean nothing.
This makes no sense. Imagine a junior engineer forgetting to sanitize some inputs, leading to SQL injection. Should the CEO really be put in prison for that? Should the engineer be jailed?
Why doesn't the engineer's manager require code reviews for all check-ins/patches before running in production? Why doesn't the CEO, or anyone between the CEO and the engineer, mandate that all engineers writing production code take courses in writing safer code (e.g. sanitize all input, no exceptions)? Why doesn't the CEO pay for code audits?

I wonder how many companies who have 'leaked' data recently are doing these things. Granted, it will never catch all bugs, but avoiding these things is negligence, which should be punishable.

But the CEO can set a policy of deleting information that is not required, and making sure that policy is followed. Cathay Pacific could choose not to keep all that information.
The CEO makes what, like 100 times of that what a junior makes. Why shouldn't he responsible? He cannot account for that much money through his pure workload but only by taking up responsibility.

Criminalization is wrong, though. Put the company to death, that's enough. Even the high penalties of GDPR already cause changes of management behavior (at least where I work).

To my knowledge there are very few negative consequences, outside of the immediate and obvious ones like reputation, that actually occur when companies leak customer data. I suspect they won't regard keeping vast troves of customer data as a liability until that changes.
Just look at Facebook. How many people have deleted their accounts...
I strongly suspect the amount of money Facebook makes utilizing that data greatly outweighs the cost incurred by the "customers" they've lost as a result of poor data handling.
Doing so will require regulation, and the current US government is against any/all regulation. So I'd say at least 2 more years of further 'data leak' bullshit until we have a real shot of doing something to motivate companies to treat customer data appropriately.
I just made this case to my coworkers recently to defend our use of a hard delete in our customer database, as opposed to a "soft delete" boolean column.
I work in a so called "Big Data" startup.

We go to great extent to not have any kind of Personally Identifiable Information, because the liability is way too big.

It really sucks when a client accidentally send us a list of their customers email and we have to clean up everybody's inbox.

I’m busy building a little tool that I hope I can sell as a SaaS one day and this is absolutely forefront in my mind.

I do not want any of your data, above that which I must hold for the service to be useful. It’s just a liability.

See also: Marco Arment, maker of the Overcast podcast player, pushing people to take their accounts anonymous [0]. It’s just good business sense at this point.

I also plan on having zero trackers. I’ll just get over the fact that I’ll have no visibility of users on my site other than what I can glean from public forums or, you know, actual paid sign-ups. It’s all too fraught with leak risk and I can’t be bothered.

[0]: https://marco.org/2018/04/27/overcast42

It would only be a liability if there were serious punishment.
When there is meaningful regulation, serious consequences, and enforcement agencies with teeth.
Under what circumstances do you think an airline would choose not to know its passengers? This isn’t adtech.
Interesting how it’s always worded in a way that frames the negligent company as the victim instead of the customers whose data was exfiltrated: “Company X was attacked by hackers,” “Company Y was the victim of a data breach.” Its never: “Company Z failed to secure customers’ information.”
I used to do contract pentesting for a big fortune 500 company, and they were able to cut all kinds of security corners because they knew people would perceive them as the victim. The person running our contract at the company said that the people making budget decisions know that at worst there'll be a small stock dip for 1-2 days in the event of a compromise, so they said it's not worth the money to actually have good security because the general public will just see the headlines and consider the company the equivalent of a robbery victim.
When people say there are no consequences for the company yadda yadda yadda what they neglect to also mention is that, typically, there are no consequences for those affected either.

If the one billion odd people affected by major data breaches since 2005¹ all experienced some significant difficulty as a result, we could probably expect a louder outcry and subsequent changes in behaviour by those we entrust(?) our personal identifying information to.

I've been online since well before 2005, and the worst I've experience is one debit card being cancelled due to a failed fraudulent transaction attempt ~10 years ago, and ~2 months ago a successful fraudulent transaction of AU$13.36 which I noticed immediately (thanks mobile banking app notifications), which resulted in the me calling and cancelling the card and the charge being reversed.

Of course, we're all paying more in fees due to insurance against such events, but that appears to be an inconvenience that most people simply don't rate.

1. https://news.ycombinator.com/item?id=18297966

At least in the UK the banks and the police have worked together for years to establish “identity theft” as a thing.

From: Whoops we gave a loan to a stranger because they tricked us!

To: You owe us money because someone stole the core of yourself, from yourself, without you noticing

The police get to move a whole load of theft out of their crime statistics as it modernizes, and the banks get to avoid lots of ‘red tape’ and can decide how nice they want to be to each victim (or rather, how profitable being nice is).

Do you have any citations for that? At least in Germany this is rather unheard of as banks have pretty strict requirements for customer verification. As UK is in the EU as well I'd expect this to not differ too much.
> Hogg said no passwords were compromised in the breach and the company was contacting affected passengers to give them information on how to protect themselves.

Well that's good! My precious password that can be easily changed wasn't leaked!

> Cathay in a statement said accessed data includes names of passengers, their nationalities, dates of birth, telephone numbers, email and physical addresses, passport numbers, identity card numbers and historical travel information.

oh...

I hear you. One issue is that most people use similar passwords for all their services, which yes is problematic and a travesty but that's how it is.

So getting someone's name and personal information (that yes, can also be used for identity theft) is not as bad as now having a list of names and passwords to try to use on bank websites, for example.

Passport number + date of birth and name is enough for a social engineering attack against a lot of banks (hopefully they didn't like my credit card BIN to make it extra helpful to identify my bank).

So my passport number leaking is personally much worse for me than if my password leaked (which I'm very careful to protect).

Do a lot of banks have access to your passport number and use that as identifying info or is there another leg like passport -> ssn -> bank?
If you live (and are opening a bank account) in a country other than your own, your passport is one of the only ways to prove your identity for KYC. I had to show both my HKID and my passport to get an account at HSBC, and I can use either of them as ID at the teller window.
Sure, although in that case it's having a passport in your possession that serves as ID, as distinct from merely knowing the number.

I suspect you might find that a different passport with a different number, expiry date, or even nationality but the same name and date of birth would work equally well.

> I suspect you might find that a different passport with a different number, expiry date, or even nationality but the same name and date of birth would work equally well

Nope. All of the information must match, and they even (excruciatingly) compare the signature in my passport to the one they have on file. At another bank where I used only my HKID to open the account, I'm not permitted to use my passport.

Banks and signatures in HK, that's a true love story in itself. I've never seen banks that are so obsessed with signatures and will reject documents because the signature doesn't exactly match the one they have on file...

Which means you need to have a photo of any signature you register with a bank there or later on forms you sign will be rejected.

As a foreigner living in South East Asia, in my experience asking for a passport number + date of birth + trivial questions (do you have a mortgage? Do you have a loan?, etc...) is used to prove your identity over the phone.

The questions are easily bruteforced through so I'd say it's a real issue. I'm deeply concerned by that leak because of that.

And I find it more concerning than BA leaking my financial details without my passport number (which also recently happened and led me to cancel one of my credit card)

At this point it can be virtually the same, or worse though.

To expand on the identity theft part, all the leaked info are enough to open an online low tier bank account (one might need to forge random images to prove identify and residency, but that’s super basic photoshopping, as it only needs to be scan quality). In particular the passport informations makes it a ton easier.

From there we move from simple identity theft, to possessing a bank account under the name of the victim, which opens the door to so many money schemes (no service will double check when asked to change bank info to another account with the same owner)

I don't know why, this reminds me of Singapore Airline's account login/signup flow. It's cringy to think that the only allow 6 numbers for their password field. Yes, in 2018!
That usually means they are on some kind of ancient mainframe.
Wouldn't a workaround for this be storing the (smaller) hash of a better passphrase, and using that to authenticate once arrive at the "vital bits"?

Then again...someone complacent enough to get that far behind in infrastructure probably doesn't have any chance of that being thought of/appoved.

> Then again...someone complacent enough to get that far behind in infrastructure probably doesn't have any chance of that being thought of/appoved.

I see you've worked in the enterprise? :-)

Another reason is that nobody knows how it really works. The people who knew have long retired. The fear is updating it will likely introduce subtly new behavior and new bugs that everyone is scared of touching it.

My bank (Westpac) only allows 6 alphanumeric characters in their passwords.
And that same bank doesn't distinguish between upper and lower case characters in the password either.
Westpac's interface is quite funny. Only very recently did they allow pasting passwords from a password manager, previously you had to use an on screen keyboard (presumably to stop keyloggers).

On that note; any recommendations for Aussie banks that have a secure and modern interface?

Westpac customer here. If you just need basic banking, you can’t beat ING. They still have a dumb type-a-PIN-by-pressing-buttons login screen, and the customer ID field doesn’t accept pasted data, but other than that I love them. No fees, even on international transactions. Apple Pay if you want it.
I'd love to endorse ING, but i must say, their security really worries me. I'm just putting this out there: you log in to internet banking with your "customer number" which is printed on your bank card, and then you have exactly 4-digit PIN you key in with their stupid on-screen keypad.

I love that they're relatively modern for Australian standards (fast payments, no fees ever, basically) so i'd love to endorse them, but i, too, am on the lookout for a replacement bank that has e.g. MFA with TOTP or a physical challenge-response box like my otherwise overpriced ABN bank account gave me back in 2002, in the Netherlands...

So i, too, am all ears for recommendations.

EDIT: and once you're in internet banking, you can willy nilly transfer cash out if you either use a "saved address" (someone you've paid before) or you'd need to hijack my mobile number. But $deity knows that's easy - just claim you own a number and get it ported over to a new service no-questions-asked. Facepalm, really.

I've found Bankwest to be pretty solid from a tech standpoint.

Lots of their app functionality is now handled through AWS from what i've heard.

(comment deleted)
I believe Air France still does 4 digit pins :(
At least the KLM funnel into the same backend forced you to switch to a password a few months back.
So, I just glanced through this¹ Wikipedia entry and quickly added up all the numbers in the yearly lists of major data breaches and came up with this number:

929 million users / customers affected by major data breaches since 2005.

There's probably at least some / a whole lot of overlap in some, but still...

Thusly, it'd be unusual if any particular individual hasn't had at least some of their identity go astray.

1. https://en.wikipedia.org/wiki/Data_breach

Just realized that with the information leaked (passport number , birthday, name and asiamiles/MPC number), it would be enough to do the phone verification with them and redeem miles from the account. So, not having leaked passwords is really not that much of an achievement.
It'd be good if there was a law that'd fine corporations for being unable to protect user data.

Make the fine directly proportional to: number of people affected * bits of leaked data for each user.

Reposting from the other thread at https://news.ycombinator.com/item?id=18299015*

It is unclear from any reporting as to how this technically happened, which is a shame but hopefully that will be made public in the coming days. Some other outlets[0] have an interesting statement:

> The breach also included details about where each passenger had traveled and any comments made by customer service representatives. The amount of data accessed varied among passengers.*

Based on those details, and the mention of 'no passwords were compromised', chances are this breach has come from an internal helpdesk type system, or possibly CRM. If however the statement around the passwords changes, that opens up a few other possibilities.

What this doesn't sound like, are the attacks we saw on British Airways[1] and Ticketmaster[2], where javascript was injected into the payment pages to vacuum up payment details from customers.

The statement around "The company has no evidence that any personal information has been misused" is always an interesting one, and is one of the many reasons I created my startup Breach Insider[3], so that data breaches like this could be detected much sooner (not 7 months later, as we have seen here), with minimal false positive alerts, and definitive evidence if any data has been misused. By using real email addresses that are unique to each company/business, you can be sure to find out if that data ever leaks & is abused for things like spam or phishing.

[0] https://www.theverge.com/2018/10/24/18019958/cathay-pacific-...

[1] https://www.britishairways.com/en-gb/information/incident/da...

[2] https://www.riskiq.com/blog/labs/magecart-ticketmaster-breac...

[3] https://breachinsider.com

One important thing to note.

PCCW the main local telco uses Hong Kong ID numbers as passwords by default, or at least they used to do so. This means that this database contains usernames and passwords in cleartext for a significant number of users who have never changed their accounts.

Just got an email. My name and addressed was leaked from this breach. Even the email they sent the message from has failed domain authentication. They have become a joke to me.
I'm curious how this is going to be handled by the HK government. Hong Kong does have a privacy bureau (PCPD) but I am not sure what their jurisdiction is and what litigation weapons they have.

That being said, Cathay Pacific has been really going downhill these past couple of years. Not surprised that their IT side of things are effected as well.