On November 12, Hong Kong-based airline Cathay Pacific publicly disclosed that the data breach it had first reported on October 24 was the result of a sustained series of cyberattacks that began in March 2018 and continued even after May 2018. In its October 24 statement, Cathay Pacific had announced only that “as part of its ongoing IT security processes, it has discovered unauthorised access to some of its information system containing passenger data of up to 9.4 million people. Upon discovery, the company took immediate action to investigate and contain the event.”
Subsequently, Cathay Pacific prepared and issued the November 12 statement, in advance of a November 14 joint meeting of the Hong Kong Legislative Council’s (LegCo’s) Panel on Constitutional Affairs, Panel on Information Technology and Broadcasting, and Panel on Security. In that statement, Cathay Pacific described a substantially longer timeline for both the attacks and the response than its October 24 statement had indicated. That timeline began in March 2018,
when Cathay first detected suspicious activity on its network and took immediate action to understand the incident and to contain it. Cathay did this with the assistance of a leading global cybersecurity firm. During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention. . . . Even as the number of successful attacks diminished, we remained concerned that new attacks could be mounted.
The November 12 statement also included details about who was affected by the breach, what information was accessed, and how it conducted its internal investigation. It explained that the investigation had three objectives: (i) investigation, containment, and remediation; (ii) confirming which data had been accessed and whether it could be read by the attacker(s); and (iii) determining the types of personal data that pertain to each affected passenger and notification. “Once we met these objectives,” Cathay Pacific explained, “we notified affected passengers and relevant authorities.”
Cathay Pacific also sought to anticipate criticism about the delay in its disclosure of the full extent of the attacks and breach. It stated that
the nature of this attack involved a number of complex systems that took significant time to analyse. An enormous amount of work was involved in the investigation, which was highly technical. The process by which the stolen data could be identified, processed, and linked to a specific passenger also contributed to the length of time involved between initial discovery and public disclosure.
With regard to its investigation, Cathay Pacific also stated that “our foremost objective and primary motivation has been to support our affected passengers by providing accurate and meaningful information to them. . . . The investigation was complex, longer than what we would have wished and we would have liked to have been able to provide this information sooner.”
Note: At the conclusion of its November 12 statement, Cathay Pacific acknowledged “that there [are] many lessons that we can and will learn from this event.” There are at least two lessons that other companies, from senior management to information-security and compliance officers, can learn from Cathay Pacific’s experience — though those lessons may not necessarily be the ones that Cathay Pacific had in mind.
First, senior management needs to understand how sustained cyberattacks on their information systems can be. Media reports sometimes seem fixated on the word “sustained” in describing cyberattacks, such as the June 2017 cyberattack on the United Kingdom Parliament. It should be noted that that attack reportedly lasted on the order of only 24 hours, but included a peak intensity of approximately 200,000 attempts over a number of hours on a single day. The Cathay Pacific attack, by contrast, lasted for approximately three months. Although that attack might seem like a “black swan” event, its success over multiple months makes it highly likely that those or other cyberattackers will emulate the concept of multiple-day or week attacks against other companies and government agencies.
For that reason, senior management needs to plan for the possibility that it will need to spend significant sums to supplement their company’s human and technological resources, and remediate hardware and software damage, in the event of a major cyberattack that lasts for an extended period. As one point of comparison, in March 2018 the City of Atlanta experienced a major ransomware attack that not only caused significant damage to various information resources, but required the City to engage in emergency contract hires of security consultants and crisis-communication experts. The bill for response and remediation reportedly increased from $2.7 million in April 2018 to $17 million by August 2018.
Second, in their first reports of a major cyberattack or data breach, companies need to choose their words carefully in describing the attack or breach. In 2018, investors, the media, and the general public can be quick to react adversely to any reports that a company that suffered a data breach did not publicly disclose that breach until well after the event. While a company must always take steps to see that the nature and timing of such disclosures comply with applicable state laws or national legislation, it must also anticipate that its first statements about the breach will set the tone for immediate and later responses by the media and the investing community.
In Cathay Pacific’s case, its October 24 explanation of the reasons for delaying disclosure – the need to determine the true extent of the damage and to remediate effectively — was not unreasonable on its face, and the company did include specific information about how people who thought they might be affected could contact the airline. The greater problem appears to have been the wording of that statement. Though surely not intended to mislead the public, the statements in the lead paragraph that it “discovered unauthorised access to some of its information system” and “took immediate action to investigate and contain the event” could easily be read to mean that the attack was a one-time event of brief duration. That, coupled with the seven-month delay in disclosing the breach, likely added momentum to the “avalanche of criticism” that the October 24 statement triggered.
Three more specific lessons from this case, for other companies that suffer data breaches in the future, are simple:
- When you’re ready to make your first statement about the breach, be as concise, and as accurate, as you can without compromising any ongoing internal investigation or remedial efforts. In that critical first disclosure, a company doesn’t need to explain the precise details of attack vectors or of the information-technology defense mechanisms and techniques it used. It does need to be clearly understood when it describes the general nature and duration of the attack. In the case of the UK Parliament attack, Parliamentary authorities provided general but prompt information during the weekend that the attack was underway, and were specific and accurate about the attack’s duration and intensity reasonably soon after the attack had ended.
- Have someone outside the crisis-response team read the draft statement. It’s easy for people operating 24/7 in a crisis-response mode to make the assumption that they’ve said what needs to be said. But it takes no effort to have someone from outside the team read the draft statements, as well as any draft questions and answers that corporate or government spokespersons propose to use with the media, with a layperson’s eye, and tell the crisis-response team where the public or the media might misunderstand or misconstrue any statements.
- As with any other corporate crisis response, provide followup details when you can, but only when you’re confident you can provide accurate data. In the case of the UK Parliament attack, less than a month after the attack Parliament provided a concise but specific accounting of the extent of the attack, how many accounts were compromised, and what Parliament had done to respond.
In today’s LegCo joint panel meeting, Cathay Pacific’s representatives are likely to face pointed and critical questioning about its response to the cyberattacks and the timing of its disclosures. With luck, it will already have learned enough lessons from its experience to date to provide responses that reduce the duration and intensity of that criticism.