Republic of the Philippines

NATIONAL PRIVACY COMMISSION

RE: CATHAY PACIFIC AIRWAYS

LTD. (HONG KONG) DATA
BREACH DATED 13 MARCH CID B.N. No. 18-198
2018.

x------------------------------------------------x

ORDER
THIS ORDER is being issued under the power of this Commission to
compel any entity to abide by its orders on a matter of data privacy, in relation
to a data breach report submitted by Betita Cabilao Casuela Sarmiento for and
in behalf of Cathay Pacific (“Cathay”).

In the Notification dated 25 October 2018, Atty. Pericles Casuela,

speaking for and in behalf of Cathay Pacific, acknowledged that:

1. On 13 March 2018, Cathay noted suspicious activity on its network,

and commenced an internal investigation (with the assistance of
Mandiant, a cybersecurity firm).

2. On 7 May 2018, Cathay’s forensics investigators confirmed

unauthorized access to some information systems within Cathay. At
some point, Cathay was able to determine the data accessed or
exfiltrated by still unknown individuals.

3. The personal data of passengers of Cathay and Hong Kong Dragon

Airlines Ltd. were affected. The personal data of members of
Cathay’s frequent flyer program, Asia Miles (managed and operated
by Cathay’s wholly owned subsidiary, Asia Miles Ltd.), were also
affected.

4. The exposure of each data subject varies.

a. Among those fields taken were passenger name; nationality,

date of birth, phone number, e-mail, credit card number,
address, passport number, identity card number, frequent
flyer membership number, customer service remarks, and
historical travel information.

5th floor, Ang Kiukok Hall, PICC Complex, Pasay City, Metro Manila 1308
URL: http://privacy.gov.ph Email Address: info@privacy.gov.ph
 Order
In re: Cathay Pacific Airways, Ltd.
CID BN No. 18-198
Page 2 of 4
x-------------------------------------------------x

b. No travel or loyalty profile was accessed in full, and no

passwords were compromised.

5. From their report, Cathay “very recently” determined the Philippine

nationality of those compromised in the attack through Philippine
passport details, or where other personal data in Cathay’s possession
contained a Philippine address or telephone number. From their
analysis:

a. Some 102,209 Philippine data subjects had their data

compromised.

b. Roughly 35,700 passport numbers from the Philippines were

exposed.

c. There were 144 credit card numbers exposed.

Under Philippine law, notification to this Commission and to the data

subjects of the existence of a data breach become mandatory when: (a) what is
involved is data that is classified as sensitive personal information or
information that can be used to enable identity fraud; (b) there is reason to
believe that this information is in the hands of an unauthorized person; and (c)
there is a real risk of serious harm to the data subject.1 This section applies
especially when what is involved is data that is about the financial or economic
situation of the data subject, including but not limited to licenses with unique
identifiers.2

Notification to this Commission must be made upon knowledge of or

the reasonable belief by the personal information controller or personal
information processor that a personal data breach has occurred, 3 within 72
hours from such knowledge.4

The law also provides that when there is a failure to notify this
Commission, or when the Commission determines that there is an
unreasonable delay to the notification, there is a presumption that there is a

1 National Privacy Commission, Personal Data Breach Management, Circular No. 16-03, §11.
2 Id.
3 National Privacy Commission, Personal Data Breach Management, Circular No. 16-03, §17-

A.
4 Id.
 Order
In re: Cathay Pacific Airways, Ltd.
CID BN No. 18-198
Page 3 of 4
x-------------------------------------------------x

failure to notify.5 When such a failure or delay exists, this Commission may
investigate further the circumstances surrounding the data breach, including
the failure to report or any undue delay.6

The failure to report such a data breach in a timely manner may require
this Commission to fulfill its mandate to ensure compliance of personal
information controllers with the provisions of the Data Privacy Act. 7Philippine
law imposes criminal liability on persons who, after having knowledge of a
security breach and of the obligation to notify the Commission under
Philippine law, intentionally or by omission conceals the fact of such security
breach.8

On the surface, there appears to be a failure on the part of Cathay to

report to this Commission what it knew about the data breach at the time it
confirmed unauthorized access, and what the affected data fields are. Cathay’s
term, “very recently”, does not establish any timeline through which we may
determine the timeliness of the report dated 25 October 2018.

Personal information controllers also need to explain the remediation

measures taken following a data breach in a mandatory report. On the face of
the report, Cathay’s measures that have “enhanced the security and monitoring
with its environment” and “working with [Mandiant], as well as other
cybersecurity experts, to implement measures to prevent future unauthorized
access to its systems and databases, as well as further enhance its IT security
generally” does not meet required specificity required of notifications to this
Commission.9 For this matter, the Commission may require, as it does, further
information from the personal information controller.10 Such information must
necessarily include the report from Mandiant and any documentation
surrounding such measures taken to remediate the data breach.

5 National Privacy Commission, Personal Data Breach Management, Circular No. 16-03, §20.
6 National Privacy Commission, Personal Data Breach Management, Circular No. 16-03, §21.
7 An Act Protecting Individual Personal Information in Information and Communications

Systems in the Government and the Private Sector, Creating for this Purpose a National
Privacy Commission, and for Other Purposes [DATA PRIVACY ACT OF 2012], Republic Act No.
10173, §7(a)
8 DATA PRIVACY ACT OF 2012, §30.

9 National Privacy Commission, Personal Data Breach Management, Circular No. 16-03,

§17.D.3.
10 National Privacy Commission, Personal Data Breach Management, Circular No. 16-03,

§17.D.
 Order
In re: Cathay Pacific Airways, Ltd.
CID BN No. 18-198
Page 4 of 4
x-------------------------------------------------x

For a full appreciation of the circumstances surrounding this report, and

the data breach that it describes, it is necessary to require Cathay to explain, in
writing, why Cathay and its responsible officers should not be prosecuted
under the provisions of the Data Privacy Act of 2012 for Concealment of
Security Breaches Involving Sensitive Personal Information.

WHEREFORE, PREMISES CONSIDERED, this Commission hereby

ORDERS Cathay to:

1. EXPLAIN within ten (10) days why Cathay should have this
Commission overcome the presumption that there has been a failure
to timely notify this Commission about the occurrence of a data
breach requiring such timely notification giving rise to criminal
liability on the part of the responsible officers of Cathay; and
2. SUBMIT within five (5) days further information on the measures
taken to address the breach.

SO ORDERED.

29 October 2018, Pasay City, Metro Manila.

For the Commission:

FRANCIS EUSTON R. ACERO

Division Chief
Complaints and Investigations Division

GILBERT V. SANTOS
Director IV
Legal and Enforcement Office