Bilingual Editorial: Cathay Pacific's data breach incident
雙語社評:私隱外泄延宕通知 國泰愧對乘客市民
文章日期:2018年11月23日

雙語社評齊齊聽

[英語 (足本收聽)] Presented by Mr NG, Raymond Wai-man, Lecturer of Hong Kong Community College, The Hong Kong Polytechnic University

[普通話 (足本收聽)] Presented by Dr JIAO, Nina, Lecturer of Hong Kong Community College, The Hong Kong Polytechnic University

THE personal data of about 9.4 million passengers of Cathay Pacific and its subsidiary Cathay Dragon was "accessed without authorisation" in the worst leak of passenger data in the history of the international airline industry. Instead of notifying the authorities and the public as soon as possible, the company delayed announcing the incident for nearly six months. This is unacceptable. Hong Kong's privacy ordinance is outdated and a lot of corporations are not vigilant enough about cyber security. The government should amend the law as soon as possible to introduce heavy penalties and urge corporations to enhance their cyber security to protect the personal data of citizens.

[ENG audio 1]

Cathay Pacific is a big corporation that has been based in Hong Kong for over 70 years. Its cyber security is expected to be impregnable. The incident has left all who have flown with the airline worried. The way Cathay's management handled the incident afterwards was even worse. The company detected suspicious activities last March and confirmed in May that personal data of its passengers had been stolen. However, the company only made public the incident the evening before last. The public was kept in the dark all these months.

[ENG audio 2]

The explanation that Cathay Pacific has given is that the investigation took time, and to avoid creating "unnecessary panic", they wanted to find out what had happened so that they could take proper follow-up action and make necessary arrangements. It is true that it was hard for Cathay Pacific to raise the alarm immediately last March just because "abnormalities" were detected without fully understanding what had happened. However, the company must respect the public's right to know. When the company received confirmation in May that passengers' personal data had been leaked and knew roughly who were affected, it should have notified the passengers promptly instead of waiting for so many months before disclosing the incident. Even though Cathay Pacific has reassured the public that there is no evidence that any personal data has been misused, it does not mean that the affected citizens' worries can be put to rest.

[ENG audio 3]

In Hong Kong, the awareness of cyber security is very low. The personal data of 380,000 customers of Hong Kong Broadband was stolen not long ago, and now it is Cathay Pacific. This shows that Hong Kong companies are not vigilant enough about cyber security. While the performance of big corporations is far from satisfactory, the situation of small- and medium-sized enterprises is even more worrying. Last year, Cathay Pacific laid off a number of employees from its information technology department. For now, it is hard to judge whether this has affected the cyber security work of the company and sowed the seeds of the data leak. However, the fact that information technology departments are often targeted in redundancy plans of local companies reflects corporations' cavalier disregard for cyber security.

[ENG audio 4]

The government has been keen to promote innovation and technology, but Hong Kong's law regarding technology and privacy is outdated. The European Union's new General Data Protection Regulation stipulates that a company must report any major data breach within 72 hours and the penalty for non-compliance is up to 4% of a company's annual revenue worldwide. In contrast, Hong Kong's Personal Data (Privacy) Ordinance does not require a company to report a data breach, and disclosure is entirely voluntary. Corporations therefore do not have an incentive to spend money on improving cyber security. The Personal Data (Privacy) Ordinance was enacted 21 years ago. Many of its provisions are already out of date and do not meet the needs of the cyber age. To prevent the Office of the Privacy Commissioner for Personal Data from becoming a toothless tiger, the government must amend the ordinance as soon as possible to strengthen the reporting mechanism and introduce heavier penalties.

[ENG audio 5]

私隱外泄延宕通知 國泰愧對乘客市民

國泰航空與子公司港龍航空約940萬名乘客私隱資料遭「不當取覽」,是國際航空界歷來最嚴重乘客資料外泄事件。國泰未有盡速通知當局和市民,延宕近半年才公布,令人難以接受。本港私隱條例落後,不少企業對網絡安全警覺不足,政府有必要盡快修例引入嚴厲罰則,督促企業加強網絡保安,保障市民個人資料。

[PTH audio 1]

國泰是植根香港逾70年的大公司,網絡保安理應穩妥,今次事件已令所有曾經搭乘的市民難以安心,國泰管理層事後處理就更加糟糕。國泰由今年3月發現可疑迹象、5月確認出事,直至前晚才公布事件,市民一直蒙在鼓裏。

[PTH audio 2]

國泰解釋,由於調查工作需時,公司希望先弄清楚整件事,做好跟進配套安排,不想「製造無謂恐慌」。誠然,國泰很難僅僅因為今年3月發現資料出現「異動」,未弄清事態便急急拉響警報,可是也得尊重公眾知情權。5月份國泰確認有個人資料外泄,在大致掌握哪些乘客資料涉事後,便應該盡快通報,沒理由耽擱多月才發放消息。國泰表示未有證據顯示任何個人資料遭不當動用,不代表受影響市民可以安寢無憂。

[PTH audio 3]

香港對網絡安全意識甚低。由早前香港寬頻38萬客戶資料失竊,到今次國泰出事,均反映本港企業對網絡安全警覺不足,大公司表現未如理想,中小企情况更加令人憂心。去年國泰裁減資訊科技部門員工,有否影響公司網絡保安工作、埋下資料外泄禍根,暫難判斷,惟近年本地公司裁員,資訊科技保安部門往往是開刀對象,卻折射了企業對網絡安全掉以輕心的態度。

[PTH audio 4]

政府銳意推動創科,可是有關科技和私隱的條例卻相當落後。根據歐盟最新規例,若發生大型資料外泄事故,涉事企業須於72小時內通報,違者罰款最高可達年度全球營業額4%,反觀香港《個人資料(私隱)條例》,並未規定企業在個人資料外泄事故後必須通報,是否披露全屬自願,企業缺乏動力花錢加強網絡保安。本港私隱條例於21年前訂立,很多條文內容已經過時,未符刻下網絡時代需要,政府必須盡快修訂條例,加強通報機制和罰則,以免私隱專員公署淪為無牙老虎。

[PTH audio 5]

明報社評2018.10.26

Bilingual Editorial