Wickie Fung

Opinion | Travel hub Hong Kong is on the hit list of cyber criminals, as Cathay data breach shows. It’s time it started defending itself

The data breach suffered by Cathay Pacific last year was just one of a growing number of attacks on a pillar of the Hong Kong economy, which highlight the vulnerability of an industry where a large amount of personal information is stored and used

Reading Time:3 minutes

Why you can trust SCMP

Travellers queue at Hong Kong International Airport to check in for their flight. As a major transit point and popular destination, Hong Kong draws tens of millions of visitors to the city every year, and its travel industry generates and absorbs enormous amounts of data from and about customers. Photo: Dickson Lee

Wickie Fung

Published: 10:03am, 20 Feb 2019Updated: 10:37am, 20 Feb 2019

The travel industry in Hong Kong accounts for about 4.5 per cent of the city’s gross domestic product. Due to its popularity as both a transit point and a destination, recent figures indicate that Hong Kong International Airport welcomed 74.7 million passengers and handled 427,725 annual air traffic movements among over 120 airlines.

To make travel more efficient and remain competitive, the industry generates and absorbs enormous amounts of data from and about customers. This may include the amount of time spent on travel websites, choices made, number of travellers, trips taken, destinations visited, and more.

While this information may seem innocuous, the travel agent, airline, hotel and other travel vendors will also collect much more sensitive information once a booking is made. Often, this includes passport and ID numbers, credit card information, home address, date of birth and more; information which is, in the main, unique and, in some cases, irreplaceable. It is this sensitive information that is especially attractive to cyberattackers, who will use any means they can to steal data to sell on the dark web or leverage for other scams.

The past six months has seen a new trend in cyberattacks in Hong Kong: attacks to steal information have become the No 1 threat, displacing ransomware, as the data can be easily and quickly monetised.

This is evidenced by the unprecedented cyberattack last year on Hong Kong’s flagship carrier, Cathay Pacific Airways, which earned it the dubious record of having the world’s largest airline data breach. Hong Kong had already been dealing with several cases of cyberattacks on travel agencies, only to learn in October that Cathay, too, had suffered a major breach, with the loss of a trove of sensitive data, including Hong Kong ID and passport numbers, dates of birth, addresses and credit card numbers, affecting over nine million people.