Boardroom Best Practices

Cathay Pacific Caught Unprepared in Largest Airline Cybersecurity Breach Ever

Cathay Pacific did not take the necessary measures to protect its data from breach. The result: the largest loss of customers’ personal data to hackers ever experienced by an airline, and one which was kept secret for nearly seven months. Cathay Pacific did not prepare as it should have to protect its data. An expert technology partner, like Diligent’s Governance Cloud, can provide the up-to-date and expert protection that companies need.

If proof were needed that IT systems need the highest, most up-to-date level of security, with ongoing preparation for attacks, then the Cathay Pacific data breach, made public on October 25, would provide determining evidence. Surprisingly, recent studies show that only a minority of Australian companies have security at that level – of the kind offered by the Diligent Governance Cloud.

Hong Kong carrier Cathay Pacific suffered the largest data breach ever for an airline last March. The breach, and its tardy announcement, have already cost the airline $361 million in share price decline, with Cathay Pacific’s stock price plunging to its lowest level in nine years.

About 9.4 million customers were affected. Customers suffered the leak of names; nationalities; dates of birth; telephone numbers; email addresses; physical addresses; numbers for passports, identity cards and frequent-flier programs; and historical travel information, including 860,000 passport numbers and 245,000 Hong Kong ID numbers.

A number of cybersecurity experts questioned the long delay in announcing the breach, and expressed concern that this delay would enable hackers to make use of the personal data they acquired. Hong Kong’s privacy commissioner, Stephen Kai-yi Wong, expressed “serious concern” over Cathay Pacific’s failure to prepare for attacks, and urged companies to improve protection of personal data.

Preparation is the key to cybersecurity

Airlines, which hold large amounts of personal data from customers, must prepare better for attacks of this kind, experts warned.

“Collectively, black hat hackers are patient and their persistence means they are likely to be successful 100 per cent of the time when they attempt to breach a system. This stacks the cards against the defenders, meaning that Cathay and the airline industry as a whole needs to rethink their strategy around network detection and start taking the fight to the hacker by going on the offensive with more advanced technologies and services that will stop threats before they can materialise,” explained Sam Curry, Chief Security Officer at IT security firm Cybereason.

Yet the necessary protection against this kind of attack already exists, as Ryan Wilk, vice-president at NuData Security, points out.

“Multi-layered technology that thwarts fraud exists right now. Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their personally identifiable information. This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behaviour.”

Wilk insists that, if more companies took steps to implement the necessary protections, attacks like this would be thwarted entirely.

Need for an expert technology partner

The problem, of course, is that companies do not take the steps needed for protection.

“Recent research suggests that most companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data loss. To keep your organisation and customers secure, you will need to know the latest movements in cybersecurity,” warns Rob Sobers, senior director at cybersecurity firm Varonis.

The past few years have seen large companies such as Uber, Equifax and Under Armour fall prey to data breaches – not to mention the recent breach at UK air carrier British Airways on September 7, of a type similar to that of Cathay Pacific.

“This increase in cyber hacking comes with a very high price for companies who have not invested sufficiently in their cybersecurity architecture. According to Accenture, a malware attack on average costs companies $2.4 million, and 50 days in time to rectify the incident,” Sobers adds.

An expert technology partner can manage this kind of protection for companies where it is most needed.

Danger at the board level

Companies are, of course, most vulnerable at the board level, where the most sensitive corporate information is discussed. Boardroom discussion should be protected by a high-quality board portal that guards all communications from leaks, and which encrypts all materials under consideration by board members. The board portal can also limit access to sensitive information only to those who have the right to it, and it can protect all devices used by board members – if they are lost or stolen, corporate information can be deleted, from any distance away.

Diligent makes sure you are ready for all threats

“Carefully protected internal communication services centered on security and privacy are the safest way to conduct internal communication,” the study noted. Diligent, as the longstanding market leader for high-level corporate communications, is uniquely positioned to offer its clients the highest level of assurance around security measures. Diligent’s unique position in the marketplace allows for investment in best-in-class security practices at a level that is greater than most players’ annual revenue.

With ongoing investment and dedication to security technology, resources and infrastructure that no other provider can match, Diligent clients gain a strategic partner that truly puts security first.

All members of Diligent’s Security Team are active participants in the information security community in order to maintain up-to-date knowledge and expertise. This means that they are aware of nearly anything that hackers have available, ready to foil all of the most sophisticated attack techniques.

Diligent has established a security program based on industry standard frameworks that is dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our Information Security Management System (ISMS) is ISO 27001:2013 certified and our cybersecurity framework is based on NIST standards.

Diligent Boards™ data is housed in a world-class hosting infrastructure. Co-location data-hosting facilities are operated at Tier 3 equivalent or higher standards. Diligent owns and operates its own equipment. Data stored by customers in the Diligent Boards solution is not hosted by any third-party cloud providers. Instead, it is stored on Diligent’s own secure servers and protected by strong physical security. Access to these data centers is limited to authorised personnel only and verified by two-factor authentication.

Data is encrypted at rest, in transit and on the users’ devices. The Diligent Boards service supports the current recommended secure cipher suites to encrypt customer data in transit and at rest. Customer data is encrypted at rest on Diligent’s storage systems and on the customer’s mobile devices that run the Boards apps. Customer Data encryption keys are stored in a tamper-proof FIPS 140-2 L3 certified Hardware Security Module.

Diligent has a documented Security Incident Response Program in place to handle a security incident. Incident response procedures are tested and updated at least annually. All incidents are managed by Diligent’s Security Incident Response Team. Diligent classifies the event and determines the incident response process. In the event of a security breach, Diligent will promptly notify customers of any unauthorised access to customer data.

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog