27 Oct Cathay Pacific Likely to Escape Harsh Punishment Despite Delaying Breach Disclosure
Cathay Pacific may be able to escape harsh penalties under Hong Kong, US, and EU privacy laws since its data breach was discovered three months before May 25, which is the date the GDPR came into effect.
The breach exposed a total of 403 expired credit cards, 27 with no card verification value, as well as 860,000 passport numbers and 240,000 Hong Kong ID card numbers. Although the breach was discovered in March, Cathay only reported it to the privacy commissioner, police, and other authorities last Wednesday, while affected customers were officially informed Thursday.
Privacy Commissioner Stephen Wong Kai-yi said that while Hong Kong law did not require for the data breach to be reported, Cathay should have fulfilled its moral responsibility by notifying affected passengers quickly.