The National Privacy Commission, in an order made public during the weekend, said data from 102,000 Filipino passports and credit cards were among those affected in the sweeping data breach that hit Cathay Pacific in 2018.
A total 35,700 passports, 144 credit card numbers, and 66,000 other personal data from the airline’s Philippine customers were exposed when Cathay’s network suffered from unauthorized access in March, the NPC said in an order dated Oct. 29.
The NPC is an independent body created under Republic Act 10173 or the Data Privacy Act of 2012, mandated to administer and implement the provisions of the Act and to monitor and ensure compliance of the country with international standards set for data protection.
It is attached to the Philippine Department of Information and Communications Technology for purposes of policy coordination but remains independent in the performance of its functions.
Under the law, the Commission safeguards the fundamental human right of every individual to privacy, particularly information privacy while ensuring the free flow of information for innovation, growth, and national development.
Among the data items exposed were nationalities, dates of birth, phone numbers, email addresses, credit card numbers, frequent flyer membership numbers, customer service remarks, and historical travel information, the NPC said.
The Commission gave Cathay five days to submit “further information on the measures taken to address the breach.”
Cathay was also given 10 days to explain in writing why the government should “overcome the presumption” that the airline deliberately hid the breach from the NPC, the Commission said.
“There appears to be a failure on the part of Cathay to report to this Commission what it knew about the data breach at the time it confirmed unauthorized access and what the affected data fields are,” the NPC added.
“Philippine law imposes criminal liability on persons who, after having knowledge of a security breach and of the obligation to notify the Commission under the Philippine law, intentionally or by omission conceals the fact of such security breach,” the order read.
In October, Cathay Pacific confirmed it suffered from a data breach that affected 9.4 million passengers worldwide.
The airline first noticed “suspicious activity on its network and called for an internal investigation” in March 2018, and confirmed the “unauthorized access” in May.
READ: 755K Facebook users’ data breached