NPC orders international airline to address data breach issue

MANILA, Philippines — Personal data of over 100,000 Filipinos have been compromised in a breach on the system of an international airline earlier this year, according to the National Privacy Commission (NPC).

A report submitted by Cathay Pacific to the commission revealed that data of 102,209 Filipinos were compromised in the breach that happened in March.

Among those exposed were around 35,700 Philippine passport numbers, as well as credit card details of 144 Filipino users.

In an order dated Oct. 29, NPC complaints and investigations division chief Francis Euston Acero directed Cathay Pacific officials to explain within 10 days why it failed to timely notify the commission of the breach that affected Filipinos.

In addition, the NPC has ordered Cathay Pacific to submit within five days further information on measures being taken to address the breach.

He noted in the four-page order that the incident falls under the Philippine Data Privacy Act of 2012, which requires data controllers to report an incident of data breach within 72 hours after its discovery.

“For a full appreciation of the circumstances surrounding this report, and the data breach that it describes, it is necessary to require Cathay to explain, in writing, why Cathay and its responsible officers should not be prosecuted under the provisions of the Data Privacy Act of 2012 for Concealment of Security Breaches Involving Sensitive Personal Information,” the NPC said.

The NPC said the airline noticed suspicious activities on its system on March 13 and on May 7, Cathay Pacific’s forensics investigators confirmed there was unauthorized access to some information within the airline, affecting the personal data of passengers of both Cathay Pacific and Hong Kong Dragon Airlines Ltd., as well as of members of the frequent flyer program Asia Miles.

Among the exposed information were passenger name, nationality, date of birth, phone number, e-mail, credit card number, address, passport number, identity card number, frequent flyer membership number, customer service remarks and historical travel information.

Cathay, through its representative lawyer Pericles Casuela, only notified the NPC of the incident last Oct. 25 after it determined “very recently” the nationalities of those affected.

“On the surface, there appears to be a failure on the part of Cathay to report to this commission what it knew about the data breach at the time it confirmed unauthorized access and what the affected data fields are,” the order read.

“Cathay’s term ‘very recently’ does not establish any timeline through which we may determine the timeliness of the report dated 25 October 2018,” it added.

The NPC said the failure to report such a data breach in a timely manner may require the commission to fulfill its mandate to ensure compliance of personal information controllers with the provisions of the Data Privacy Act. 

“Philippine law imposes criminal liability on persons who, after having knowledge of a security breach and of the obligation to notify the commission under Philippine law, intentionally or by commission conceals the fact of such security breach,” the commission said.

When a failure to notify or delay happens, the NPC may investigate further on circumstances surrounding the data breach.