A Cathay Pacific Airways Ltd. aircraft flies near Hong Kong International Airport in Hong Kong. (Photographer: Anthony Kwan/Bloomberg)

Cathay Pacific Data Breach Probed by Hong Kong’s Watchdog

(Bloomberg) -- Hong Kong’s privacy watchdog is investigating Cathay Pacific Airways Ltd. after the carrier last month disclosed the world’s biggest airline data breach that exposed personal information of 9.4 million customers.

The compliance probe will examine security measures taken by Cathay Pacific to safeguard its customers’ private data and the airline’s information retention policy and practice, the city’s Privacy Commissioner for Personal Data Stephen Kai-yi Wong said in a statement late Monday. The regulator is aiming to determine if the company violated laws, he said.

The watchdog said it had received scores of complaints linked to the data breach, which Cathay Pacific revealed in a stock exchange filing seven months after detecting the violation. While passports, addresses and emails were exposed, flight safety wasn’t compromised and there was no evidence any information has been misused, Asia’s biggest international carrier said, without revealing details of the origin of the attack.

The stock has rebounded in Hong Kong, paring all losses since the revelation on Oct. 24. Shares rose as much as 1.9 percent on Tuesday.

The hack has prompted calls to overhaul Hong Kong’s two-decades-old privacy laws to ensure companies report any leaks on a timely basis. For now, offenses for disclosing personal data obtained without consent from users could be subject to a fine of HK$1 million ($127,630) and imprisonment for five years, according to the Personal Data Ordinance. Individuals who suffer damage could also seek compensation.

"The Cathay Pacific incident has highlighted the ineffective reality of our privacy law," local lawmaker Charles Mok said on a radio program last week. The commissioner “has no teeth,” nor does he have the power to conduct criminal investigations or prosecute, Mok said.

The privacy commissioner began the compliance check after the latest information shared by Cathay Pacific offered “reasonable grounds” to believe there may have been a violation of rules, the regulator said.

A Cathay Pacific representative said the airline is “studying the statement of the Office of the Privacy Commissioner and will continue to cooperate fully with the authorities.”

As of late Nov. 5 in Hong Kong, the privacy commissioner’s office received 108 inquiries and 89 complaints related to the data breach, according to the statement.

©2018 Bloomberg L.P.