Cathay Pacific 2014 Breach Fully Disclosed By Hong Kong
The Hong Kong Special Administrative Region in China, through its Privacy Commissioner, Stephen Kai-yi Wong has publicly disclosed a report containing more findings about the October 2018 data breach involving Cathay Pacific Airways. The report contains the complete and comprehensive retelling of the story behind the data breach; hackercombat.com broke the headlines last Oct 25, 2018 under the article titled: Aftermath of the Data Breach: Cathay Pacific Customers Losing Confidence.
According to the Privacy Commissioner Wong, the Cathay Pacific Breach (which also includes another airline named Hong Kong Dragon) started five years ago, in the last quarter of 2014, contrary to earlier reports that the incident happened more recently. Two cybercriminal teams through an undisclosed method were able to install keyloggers on one of the machines used by the airlines on October 2014. With sheer persistence, the first of the two teams was able to escalate their keylogger’s access from machine to machine, until the networks operated by Cathay Pacific were covertly infected. The slow spread of the keylogger was deliberate in order to remain stealth, gathering user credentials and other vital data off the computers from the period of October 2014 to late March 2018.
The second group of hackers went to Cathay Pacific’s heavily unpatched server with Internet connection, exploited a known vulnerability and gained access to the machine without Cathay Pacific system administrators noticing the event. With the server remained unpatched for a long time caused 3rd parties to infiltrate it, it also hosts the very critical Airbus fleet manual app, which has an unfortunate behavior of not working properly when a system patch is applied. The company’s IT team were only given once-a-year downtime to update the vulnerable server, but the situation happened in between the scheduled yearly downtime. The server has an End Point protection software installed, however, its virus signature database does not contain the updated signatures to detect the new variant of keylogger used by the attackers.
“Cathay’s vulnerability scanning exercise for the internet facing server at a yearly interval was too lax in the context of effectively protecting its IT System against evolving digital threats,” explained Wong. He criticized the severe leniency of Cathay Pacific with its patching methodology, especially the huge risk for a server that is hosting a critical application is connected with the public Internet.
For the part of Cathay Pacific, its Chairman, John Slosar defended the company after the discovery of the breach saying the IT infrastructure of Cathay Pacific is world-class. They run high-end servers hosting 1.3 billion files, have a regular backup schedule which protects the company’s fleet of 470 databases hosted across 4,500 servers. The chairman also boasted that their systems were successful in blocking malicious emails to the tune of 16,000 emails monthly.
The chairman’s claims of IT security risk readiness of Cathay Pacific were falsified by the Commission’s report saying that for the last 4-years of undiscovered breach, the company lost an estimated 41 user credentials of varied levels of access, including the company’s domain logins, and website administration login accounts.“The Commissioner finds that Cathay should not have produced unencrypted database backup files to facilitate migration of data centre without adopting effective security controls, thus exposing the personal data of the affected passengers to attackers,” concluded the report.