The top two executives at Hong Kong carrier Cathay Pacific Wednesday apologized for the firm's handling of the world’s biggest airline hack that saw millions of customers' data breached but denied trying to cover it up.
The CEO and chairman also said the crisis “was one of the most serious” in the embattled firm’s history and would act differently in a similar situation in future.
The pair were summoned to Hong Kong’s Legislative Council to explain to lawmakers why it had taken five months to admit it had been hacked and the data of 9.4 million customers compromised, including passport numbers and credit card details.
Lawmakers slammed the delay as a “blatant attempt” to cover up the incident and thereby deprive customers of months of opportunities to take steps to safeguard their personal data.
“I’d like to make it absolutely clear that there was never any attempt to cover anything up,” Chairman John Slosar said.
“I see it as one of the most serious crises that our airline has ever faced,” he added.
Earlier he had read a statement to the LegCo in which he said: “I must personally apologize directly to you and the people of Hong Kong.”
It emerged this week that the breach was the result of a sustained cyber attack for three months. The airline had discovered suspicious activity on its network in March and confirmed unauthorized access to certain personal data in early May but did not make it public until October 24.
CEO Rupert Hogg explained the company needed time to establish the nature of attacks, contain the problem and identify stolen data, but said they “did regret the length of time” it took.
“We’ve learnt a lot of lessons from trying to do what we believe was right, which was to get accurate information about our customers, make sure that we knew what information pertained to them. We would do it a different way tomorrow indeed,” Hogg said.
When pressed by lawmaker Kwok Ka-ki on whether Cathay would report to its customers immediately if there was another leak, Slosar said: “We will report instantly, yes.”
Slosar also told lawmakers that the data breach issue was of great public interest but the information was not material or price sensitive.
The airline says it has contacted the customers, but it still has not mentioned financial compensation and the possible costs that may arise.