Two separate groups breached Cathay Pacific’s cyber-defenses over a four-year period, taking advantage of multiple failures in IT security, a damning new report from the Hong Kong privacy commissioner has found.
The first incident occurred in October 2014 when keylogging malware was placed on an internal system to harvest account credentials. The group used these to access Cathay’s IT system via a VPN to steal data, whilst also moving laterally to extract domain credentials from other parts of the network. This activity continued until 2018.
The second group exploited a flaw on an internet facing server back in 2017, enabling them to gain admin access, move laterally and install credential harvesting tools. These credentials were used to access data via a VPN until May 2018.
Although the exploited vulnerability was first published in 2007, the airline claimed it was unable to upgrade because of compatibility problems with an Airbus fleet manuals app.
However, a scan it ran in 2017 did not spot the bug and Cathay also claimed that its anti-malware and endpoint protection tools didn’t spot any of the malware used in the second attacks because there were no signatures available, the report revealed.
The incidents were finally uncovered when group two tried to brute force the firm in March 2018 and it brought a cybersecurity expert on board to investigate.
Four of Cathay’s 120 IT systems containing personal data were affected: a customer loyalty system, a shared back-end database used to support web apps, a reporting tool and an air miles database.
The privacy commissioner criticized the airline for multiple security failings, including: failing to identify the server flaw, scanning at too wide an interval (yearly), exposing the admin console port of the server to the internet, failing to apply multi-factor authentication for all users accessing IT systems containing personal data, generating unencrypted database backup files, failing to reduce malware risks after the 2017 incident and failing to have an effective personal data inventory.
“In all the relevant circumstances of the case in relation to personal data security, the commissioner finds that Cathay did not take all reasonably practicable steps to protect the affected passengers’ personal data against unauthorized access in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening DPP 4(1) of Schedule 1 to the Ordinance,” the commissioner concluded.
The airline also kept Hong Kong ID card details of affected passengers for longer than was necessary, it said.
Some 9.4 million passengers were affected by the breach, which Cathay Pacific finally revealed in October 2018.
However, while all had their names stolen by attackers and most had flight number and date (61%) and email address (53%) compromised, far fewer had membership number (38%), address (24%), phone number (19%), nationality (12%), passport number (9%), date of birth (8%) and ID card number (6%) affected.
Just 0.004% had credit card details stolen, suggesting that the motivation for the attacks may have been non-financial, which could potentially indicate nation state involvement.