New details have emerged regarding Cathay Pacific’s data breach. The main update is that what was previously believed to be unauthorised access to 9.4 million passengers’ personal data was in fact a sustained three-month-long cyberattack.

In a written submission ahead of a joint meeting tomorrow with Hong Kong lawmakers regarding the breach, the airline said it and affected passengers were “victims of a cybercrime carried out by sophisticated attacker(s)” that “were at their most intense in March, April and May but continued thereafter”.

While no new revelations have emerged concerning the specifics of what data was compromised or the number of people that were affected, the airline’s latest submission suggests the event was far more significant than originally thought, and also goes some way to explaining the months-long delay between the detection of the attack, the date that a breach was confirmed, and passengers being informed.

Here’s what we know so far about the attack based on Cathay Pacific’s statements:

March 2018

  • Cathay Pacific first detects suspicious activity on its network and takes “immediate action to understand the incident and to contain it” employing a “leading global cybersecurity firm”.

April 2018

  • Further attacks. Cathay’s internal and external IT security resources focus on containment and prevention, with remedial activities beginning.

May 2018

  • Further attacks. Towards the end of the month, the number of successful attacks diminishes, though they do continue. “These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention,” said the airline in its written submission to local legislators.

May-August 2018

  • Cathay attempts to ascertain the extent of passenger data that had been accessed or stolen and whether compromised data could be reconstructed outside of Cathay’s own IT systems.

August-October 2018

  • Cathay investigates what passenger data has been affected in order “to give a single, accurate and meaningful notification to each affected passenger, rather than to provide an overly broad and non-specific notice”.

October 24, 2018

October 25, 2018

November 12, 2018

  • Cathay releases written statement prior to the joint Legislative Council (LegCo) panels meeting on November 14.
  • Cathay says that to date, cybersecurity experts it has employed have found no evidence of compromised data appearing on other websites or on the dark web.
  • As of midnight, 50,271 passengers had enrolled in IdentityWorks, an ID-monitoring system, provided by the airline at no cost.