Two groups, one who installed a keylogger on a server, the other who exploited a vulnerability on an unsecured Internet-facing server led to data breaches at Cathay Pacific Airlines which exposed personal information of 9.4 million passengers, Hong Kong’s privacy commissioner has concluded.
In a report issued this week by Stephen Kai-yi Wong, the international airline was criticized for:
–exposing the administrator console port of the server, which was the gateway for attackers;
–failing to catch an unspecified but “commonly known exploitable vulnerability” on the server;
–being “lax” for only running once a year a vulnerability scan on that server;
–and for not deploying effective multi-factor authentication for all users who could remotely access IT systems that had personal data.
UPDATE: On March 4, 2020 the airline was fined the equivalent of $840,000 by the U.K. Information Commissioner’s Office for failing to protect the security of personal information of U.K. passengers.
The breach was discovered when Cathay first detected suspicious activity on its network on March 13, 2018.
The personal data involved consisted mainly of the passengers’ name, flight number and date, title, email address, membership number, address and phone number. Roughly 9 per cent of the passengers’ data (about 800,000) also had their passport number listed. But the data also included the Hong Kong Identity Card numbers of 240,000 people harvested from an air miles program for verification purposes. The airline had stopped collecting those numbers 13 years before the breach but still kept them. The report said the airline had no justifiable reason for keeping those numbers longer than necessary, a violation of the territories’ data protection ordinance.
Cathay told investigators that no passenger’s profile had been accessed in full because the compromised data consisted of partial extracts of a number of databases rather than any single database in its entirety.
“In all the relevant circumstances of the case in relation to personal data security, the Commissioner finds that Cathay did not take all reasonably practicable steps to protect the affected passengers’ personal data against unauthorized access in terms of vulnerability management, adoption of effective technical security measures and data governance,” the report concluded.
As a result the airline was ordered to hire an independent data security expert to overhaul IT systems that hold personal data and make sure they are free of malware and vulnerabilities and to run penetration tests; implement effective MFA for all remote users accessing systems with personal data and regularly review remote access privileges; regularly run effectively vulnerability scans; and to create a clear data retention policy.
The airline has six months to show these orders have been followed.
As the biggest IT user in Hong Kong, Cathay Pacific has 4,500 servers with 470 databases and about 600 applications. Of the 120 systems with personal data, four were hacked: A customer loyalty system, a backup of a database that was in the process of being moved to a new system; a server with the airlines’ customer information; and a database air miles users accessed could redeem rewards.
Chronology
According to the chronology of the incident in the report, the airline faced a difficult situation after discovering suspicious activity in March 2018. While it was trying to shut down the problem its systems were undergoing intense — and sometimes successful — attacks for several months. It wasn’t until October, 2018 that the airline could identify affected passengers.
Unknowingly, the airline had been hacked by two different and publicly unidentified groups. The report says Cathay Pacific believes the first attack started in October, 2014 when what it calls Group One was somehow able to place a keylogger on the customer information system and began harvesting credentials. After installing a virtual private network (VPN), this attacker used stolen credentials to access servers, spreading laterally and installing more credential harvesting tools.
Forty-one valid user account credentials were stolen in this attack, including administrator, user, web and service accounts.
Group Two exploited the unnamed application vulnerability on the Internet-facing server in August 2017. No details were given about that vulnerability, but the report says it had been around for 10 years.
The airline was using an older version of the application because a newer one was incompatible with an aircraft manual. The report says Cathay claimed that it had run a vulnerability scan on that server in March 2017 before it went live. However, the scan did not identify the vulnerability. Cathay also told investigators that the anti-malware and endpoint protection application installed on that server was unable to detect the relevant malware and utilities because “there were no publicly available signatures.”