102,000 PH passports, credit cards affected in Cathay Pacific data breach: NPC

Katrina Domingo, ABS-CBN News

Posted at Nov 10 2018 11:50 AM | Updated as of Nov 10 2018 04:17 PM

A passenger walks to the First Class counter of Cathay Pacific Airways at Hong Kong Airport in Hong Kong, China April 4, 2018. Bobby Yip, Reuters/File

MANILA - Data from some 102,000 Filipino passports and credit cards are among those affected in the massive data breach that hit Cathay Pacific earlier this year, the National Privacy Commission (NPC) said in an order made public Saturday.

Some 35,700 passports, 144 credit card numbers, and 66,000 other personal data from the airline's Philippine customers were exposed when Cathay's network suffered from unauthorized access in March, the NPC said in an order dated October 29.

Among the data subjects exposed were nationalities, dates of birth, phone numbers, email addresses, credit card numbers, frequent flyer membership numbers, customer service remarks, and historical travel information, the NPC said.

The commission gave Cathay 5 days to submit "further information on the measures taken to address the breach."

Cathay was also given 10 days to explain in writing why the government should "overcome the presumption" that the airline deliberately hid the breach from the NPC, the Commission said.

"There appears to be a failure on the part of Cathay to report to this Commission what it knew about the data breach at the time it confirmed unauthorized access and what the affected data fields are," the NPC said.

"Philippine law imposes criminal liability on persons who, after having knowledge of a security breach and of the obligation to notify the Commission under Philippine law, intentionally or by omission conceals the fact of such security breach," the order read.

Last month, Cathay Pacific confirmed that it suffered from a data breach that affected 9.4 million passengers worldwide.

The airline first noticed "suspicious activity on its network and called for an internal investigation" in March 2018, and confirmed the "unauthorized access" in May.