Cathay Pacific Could Be Facing A USD 500 Million Fine Under The European GDPR

Cathay Pacific just disclosed that the personal data of 9.4 million passengers was leaked earlier this year. While the maximum fine the company is facing under the Hong Kong Personal Data (Privacy) Ordinance is HKD 1,000,000 (around USD 130k), it could be up to 4000 times greater if the extraterritorial effect of the European General Data Protection Regulation (GDPR) is enforced as intended.

Hong Kong’s flagship carrier announced it had discovered unauthorised access to passenger data, including passengers’ names, nationalities, dates of birth, telephone numbers, emails, physical addresses, passport numbers, Hong Kong identity card numbers, frequent flier programme membership numbers, customer service remarks and travel history. The suspicious activity was detected in March and an investigation confirmed unauthorised access early May, which makes the disclosure timing questionable. Indeed, while the Office of the Privacy Commissioner for Personal Data only encourages notification of data breaches through a non-binding guidance, the GDPR sets a mandatory 72 hours deadline for reporting data breaches to Data Protection Authorities after the breach is confirmed.

According to the GDPR extra-territorial effects, Cathay Pacific is facing a fine that is tremendously greater than what is allowed by the local law.


Just last August, one of the largest data leakage in China occurred, hitting Huazhu Hotels Group, which owns more than 10 hotel brands and manages more than 3,800 hotels across 382 mainland cities. The breach involves 130 million hotel clients and was discovered because of a post on a dark web forum, where clients’ personal data and booking information were on sale for a few bitcoins.

In June 2018, Klook, the Hong Kong-based travel booking platform, suffered a data breach incident. Based on the company statement the incident was the result of a malicious JavaScript code associated with a third-party web-based analytics tool, SOCIAPlus, leaking personal information including credit card details According to Klook, around 8% of user may have been affected.

Last May, Meituan Dianping, the Chinese internet giant, which includes food delivery and e-commerce platforms, launched an investigation regarding a potential data breach that could expose private information of thousands of users, such as names, mobile phones and home addresses.


According to the Breach Level Index website, more than 3 billion data records were leaked or compromised in the first half of 2018, a 72% increase compared to H1 2017. The main cause for data leaks is external attacks by malicious outsiders, which represents 56% of cases for H1 2018. Accidental loss is the second source of data breaches, with 34% of cases in the same period.

With increasing data leakage cases, data protection is among the key priorities for companies. Data Leakage Prevention (DLP) programs should be at the top of Chief Information Security Officers’ agenda. The program should be shaped according to the 3 main pillars of Data Protection:


Sia Partners has built strong capabilities and experience around Information Security, in particular on Data Leakage Prevention practices and GDPR requirements. Through our dedicated teams of specialized consultants, we have helped organizations to implement processes and procedures ensuring appropriate controls are in place, especially for the most critical applications. We also assist in the Third-Party Assessments, ensuring the respect of requirements for all third parties.

Source: Sia Partners

Leave a Reply

Your email address will not be published. Required fields are marked *