South China Morning Post
Advertisement
Advertisement
Travellers queue at Hong Kong International Airport to check in for their flight. As a major transit point and popular destination, Hong Kong draws tens of millions of visitors to the city every year, and its travel industry generates and absorbs enormous amounts of data from and about customers. Photo: Dickson Lee
Opinion
Wickie Fung
Wickie Fung

Travel hub Hong Kong is on the hit list of cyber criminals, as Cathay data breach shows. It’s time it started defending itself

  • The data breach suffered by Cathay Pacific last year was just one of a growing number of attacks on a pillar of the Hong Kong economy, which highlight the vulnerability of an industry where a large amount of personal information is stored and used
Wickie Fung
Wickie Fung
Why you can trust SCMP
The travel industry in Hong Kong accounts for about 4.5 per cent of the city’s gross domestic product. Due to its popularity as both a transit point and a destination, recent figures indicate that Hong Kong International Airport welcomed 74.7 million passengers and handled 427,725 annual air traffic movements among over 120 airlines.

To make travel more efficient and remain competitive, the industry generates and absorbs enormous amounts of data from and about customers. This may include the amount of time spent on travel websites, choices made, number of travellers, trips taken, destinations visited, and more.

While this information may seem innocuous, the travel agent, airline, hotel and other travel vendors will also collect much more sensitive information once a booking is made. Often, this includes passport and ID numbers, credit card information, home address, date of birth and more; information which is, in the main, unique and, in some cases, irreplaceable. It is this sensitive information that is especially attractive to cyberattackers, who will use any means they can to steal data to sell on the dark web or leverage for other scams.

The past six months has seen a new trend in cyberattacks in Hong Kong: attacks to steal information have become the No 1 threat, displacing ransomware, as the data can be easily and quickly monetised.
Why ransomware is a big threat for computer users, and how to prevent attack
This is evidenced by the unprecedented cyberattack last year on Hong Kong’s flagship carrier, Cathay Pacific Airways, which earned it the dubious record of having the world’s largest airline data breach. Hong Kong had already been dealing with several cases of cyberattacks on travel agencies, only to learn in October that Cathay, too, had suffered a major breach, with the loss of a trove of sensitive data, including Hong Kong ID and passport numbers, dates of birth, addresses and credit card numbers, affecting over nine million people.
In a major data breach last year, the personal information of over nine million people was stolen from Cathay Pacific by cyberattackers. It was the world’s largest airline data breach. Photo: EPA-EFE

These attacks happen so often because, like the health care and banking industries, the travel sector is a huge collector of sensitive data, and thus a prime target for cyberattackers. In 2016, the European Aviation Safety Agency said cyberattacks on aviation systems were occurring at a rate of 1,000 per month, demonstrating then that whatever security strategies were in place were no longer effective.

In many cases, there is inadequate visibility, control and protection of user and application traffic transiting the network and an outdated assumption that everything on the inside of an organisation’s network can be trusted; in fact, threats can come from both inside and outside.

In Hong Kong, companies are not legally obliged to disclose data breaches – although there is a strong moral case to do so – and so, for many years, breaches were kept out of the public eye. This has now changed, thanks to the European Union’s General Data Protection Regulation. A key requirement is that the European regulator is told about any breaches within 72 hours of learning an attack has taken place; a failure to report may result in hefty fines of up to 4 per cent of turnover.
Why Cathay Pacific deserves praise, despite the data breach

All airlines produce, store, share and analyse data in a similar manner over multiple networks, access points and with authorised third parties to maintain business operations. This, of course, means cyberattackers can leverage vulnerabilities across multiple access points to try to gain unauthorised entry.

All airlines produce, store, share and analyse data over multiple networks, access points and with authorised third parties. This means cyberattackers can leverage vulnerabilities across multiple access points to try to gain unauthorised entry. Photo: Nora Tam

Adversaries look for vulnerabilities or weaknesses in software to exploit. There have been instances where developers and software engineers fail to integrate security measures in designing web apps, allowing organised cybercriminals to exploit these vulnerabilities. Any organisation should always look at and vet any third-party web application provider to ensure their products have the right security measures in place. This should include continuously scanning their sites to detect unauthorised code.

Therefore, it is a priority to understand the flow of this information and to ensure comprehensive checks and approval processes are in place. Passwords – highly sought after by cybercriminals – remain the weakest links in computer security. It is perhaps for this reason that information stealers now make up the biggest proportion of cyberattacks in Hong Kong.

How your stolen personal data is sent to the dark web

Too often, people choose simple passwords to secure highly sensitive information and then use the same passwords to protect other systems. In light of this and gaining in popularity are two-factor or multi-factor authentication and biometrics that help prevent breaches and protect data.

In general, and despite the well-publicised breaches, it is uncommon to find strong IT security teams within the travel and hospitality companies or even a security operations centre. But as the industry continues to innovate, with technologies from mobile applications to data analytics, and collaborate with business partners, all this will increase the risk of an attack.

The travel industry is an important pillar of Hong Kong’s economy. In the face of such damaging cyberattacks, the industry as a whole has a fiduciary duty to protect data and prevent breaches. Perhaps now is the time for the industry to take a stance and introduce a code of practice and place “cyber hygiene” at the heart of everything the sector does. In this way, the industry will be able to self-regulate, ensure sensitive data is protected and win back customer trust.

Wickie Fung is general manager, Hong Kong and Macau, at Palo Alto Networks, a cybersecurity company headquartered in California, US

Post