The National Commission on Privacy ordered Cathai Pacific to explain why it had just reported a violation of data a few months after it happened
MANILA, Philippines – Cathai Pacific Airvais has hurt the data that took place in March, over 100,000 Philippines has been hit, the National Commission for Privacy (NPC) said in a Philippine newspaper in Hong Kong.
The NPC cited the airline's findings in a warrant calling on Cathay to explain why the commission should not prosecute its officers for reporting data violations in their system a few months after the incident.
On Saturday, November 10, the NPC issued a decree of 29 October to the media.
On October 24, the airline announced that it suffered a huge loss of data affecting 9.4 million passengers. It has been acknowledged that they have accessed data that includes passport numbers, ID numbers, email addresses and credit card information.
The NPC stated in its order that, based on the Kataie report, the airline company "established the Filipino nationality of those who were endangered in the attack by means of Philippine passport data or where other Cathay property data contained a Philippine address or phone number . "
The NPC said that Cathay's analysis of data breach affecting Philippine travelers:
- Some 102,209 Filipino data subjects had compromised data.
- About 35,700 passport numbers from the Philippines are displayed.
- There were 144 credit card numbers.
Through Attorney Pericles Casuela, Cathai reported to the NPC, among other things, different degrees exposure of each subject of data.
"Among these areas, the traveler's name, nationality, date of birth, phone number, e-mail, credit card number, address, passport number, ID number, number of frequent flyer membership, customer service notes and historical travel information" The NPC said, citing the Cthatian report.
Cathai also informed the NPC that "there was no full access to the travel profile or loyalty, and no passwords were endangered."
In his order, the NPC sent Cathai to:
1. EXPLAIN within ten (10) days why Cathai should have such a Commission to overcome the presumption that there has been an omission of timely notification to the Commission of the occurrence of a breach of data requiring such timely notification that led to criminal liability by the responsible officers Cathai; and 2. SUBMIT, within five (5) days, additional information on the measures taken to resolve the violation.
The NPC noted that Cathai submitted a report to the Commission on the violation of information only on 25 October or several months after the March 13 incident was uncovered and confirmed on May 7th.
He emphasized that according to the Philippine law, such a violation of data had to be reported to the NPC within 72 hours of the "knowledge" of the incident.
"The failure to timely report such a violation of data may require this Commission to fulfill its mandate to ensure the compliance of personal data controller with the provisions of the Privacy Privacy Act. The Philippine law imposes criminal responsibility for persons who, after learning about a breach of security and the obligation to notify the Commission under the Philippine law, deliberately or omits the concealment of such a breach of security, "the NPC stated.
"On the surface, it seems that Cathai was unsuccessful to report to the Commission what he knew about the violation of data at the time he confirmed the unauthorized access, and what are the data fields," it adds.
It has also been said that Katai's personal information controllers "must also explain the remedial measures that are taken after violating the data in the compulsory report."
"On the face of the report, Cathay's measures that" improved security and oversaw its environment "and" cooperated with them [Mandiant], as well as other cyber security experts, to implement measures to prevent future unauthorized access to their systems and databases, as well as to further increase IT security in general "does not meet the required specificity required from the notice to this Commission," the NPC stated.
Read full order here: