Cathay Pacific Data Breach Case Study: Reasons, Impact, and Defenses
VerifiedAdded on  2023/01/20
|17
|6868
|39
Case Study
AI Summary
This case study provides a comprehensive analysis of the 2018 data breach at Cathay Pacific, an international airline company. It begins with an introduction highlighting the importance of data protection and the potential consequences of data breaches, followed by a background of the company and the specifics of the breach, including the number of affected customers (approximately 9.4 million). The study delves into the reasons behind the breach, such as overlooking IT infrastructure restructuring, poor programming practices, and the retention of sensitive data like Hong Kong identity card numbers. It also identifies the types of data breaches, including cyberattacks involving malware, and the failures of the defense mechanisms, such as lack of multi-factor authentication and unencrypted backups. The analysis reveals the gaps in the existing security measures and concludes with a discussion of the implications of the breach on the company's brand image and customer trust.
CATHAY PACIFIC 2018 DATA BREACH CASE
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Table of Contents
1. Introduction............................................................................................................................3
2. Company background............................................................................................................3
3. Background of the issue.........................................................................................................4
4. Reason of data breach, type of data breach and defense method...........................................5
5. Gap in the current defense method.........................................................................................8
6. Lack of security....................................................................................................................12
7. Conclusion............................................................................................................................13
References................................................................................................................................15
1. Introduction............................................................................................................................3
2. Company background............................................................................................................3
3. Background of the issue.........................................................................................................4
4. Reason of data breach, type of data breach and defense method...........................................5
5. Gap in the current defense method.........................................................................................8
6. Lack of security....................................................................................................................12
7. Conclusion............................................................................................................................13
References................................................................................................................................15
1. Introduction
Protecting information of customers is an important duty of organizations as it is
related to the trust of customers on that company. It is important to ensure the integrity and
security of database for protecting personal information of customers including, name,
address, phone number, and other personal details. Breaching of this data may allow
criminals to harm consumers. This study is focusing on analyzing the Cathay Pacific 2018
data breach case study. In this case study, it can be seen that personal information of
customers of Cathay Pacific has been breached. This incident has taken place as a result of
three attacks by hackers. This paper is discussing gaps in the security system of this Airline
Company. Existing defense system of this company has failed to protect information and
particular reason behind this failure is being analyzed in this study.
2. Company background
Cathay Pacific is an international carrier firm that is also known as Cathay Pacific
airways limited. This firm has been incorporated in 1946 on 24th September. Head office of
this airlines firm is located in Hong Kong international airport. It has other subsidiaries like
Cathay dragon and air Hong Kong. In the year 2018, this firm has gained HK$ 111.6 billion
as revenue. Fleet size of this company is 202 and it provides services to 77 destinations. It has
around 32400 employees in this firm and all subsidiaries (Cathay Pacific). Cathay Pacific has
a comprehensive global network of line maintenance support at different locations. Main aim
of their business is to continuously improve their products and services and gain competitive
advantage in the market. Cathay airlines will increase its fleet size by 71 up to 2024. They
provide different services to their customers that include airlines, handling of cargo, catering
services in flight. Moreover, they provide ground services and laundries. They also provide
airline services to around 200 destinations that include different regions of Asia, Europe, and
Africa. They are aiming to expand their fleet size by acquiring fuel-efficient aircraft and also
trying to improve aircraft engineering business in future. Cathay Pacific is one of the founder
members of the OneWorld alliance that contains other members like British airways, Japan
airlines.
This firm has earned millions of customers by providing a wide range of efficient
support and varied products. However, recent incident of data breach has impacted the brand
image of the company that impacted about 9 million customers of this company. This firm
Protecting information of customers is an important duty of organizations as it is
related to the trust of customers on that company. It is important to ensure the integrity and
security of database for protecting personal information of customers including, name,
address, phone number, and other personal details. Breaching of this data may allow
criminals to harm consumers. This study is focusing on analyzing the Cathay Pacific 2018
data breach case study. In this case study, it can be seen that personal information of
customers of Cathay Pacific has been breached. This incident has taken place as a result of
three attacks by hackers. This paper is discussing gaps in the security system of this Airline
Company. Existing defense system of this company has failed to protect information and
particular reason behind this failure is being analyzed in this study.
2. Company background
Cathay Pacific is an international carrier firm that is also known as Cathay Pacific
airways limited. This firm has been incorporated in 1946 on 24th September. Head office of
this airlines firm is located in Hong Kong international airport. It has other subsidiaries like
Cathay dragon and air Hong Kong. In the year 2018, this firm has gained HK$ 111.6 billion
as revenue. Fleet size of this company is 202 and it provides services to 77 destinations. It has
around 32400 employees in this firm and all subsidiaries (Cathay Pacific). Cathay Pacific has
a comprehensive global network of line maintenance support at different locations. Main aim
of their business is to continuously improve their products and services and gain competitive
advantage in the market. Cathay airlines will increase its fleet size by 71 up to 2024. They
provide different services to their customers that include airlines, handling of cargo, catering
services in flight. Moreover, they provide ground services and laundries. They also provide
airline services to around 200 destinations that include different regions of Asia, Europe, and
Africa. They are aiming to expand their fleet size by acquiring fuel-efficient aircraft and also
trying to improve aircraft engineering business in future. Cathay Pacific is one of the founder
members of the OneWorld alliance that contains other members like British airways, Japan
airlines.
This firm has earned millions of customers by providing a wide range of efficient
support and varied products. However, recent incident of data breach has impacted the brand
image of the company that impacted about 9 million customers of this company. This firm
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
provides passengers all support by providing essential information like the departure time of
the aircraft. Hence, collection of personal details like contact is important for providing
prompt support to customers in a proper way.
3. Background of the issue
Data breach in Cathay specific can be considered as the largest case of breaching data
and this case has taken place in 2018. This company is holding well-designed IT structure
and employees of IT department of this airline company provide their best effort to protect
information of their customers. However, hackers have attacked several times and have
caused breaching of data impacting on approximately 9.4 million passengers. Solove (737)
has mentioned that protecting personal information of consumers is a primary responsibility
of a company and organizations are bound by legal system to provide their best effort to
avoid breaching of data. Several consequences are associated with the issue of data breach.
Breach of data due to negligence of a company negatively impacts its customer base.
Customers rely on organization and provide their personal information for purchasing
products or services. For example, customers of Cathay Pacific provide personal information
such as their name, contact details, passport details, and credit card and ID card details to this
company while booking flights. However, the incident of data breach has given access to this
information to unauthorized persons.
This company has not released the information regarding this mishap for seven
months for protecting their reputation. However, the Hong Kong privacy Watchdog has
investigated this case and they have produced a report on this matter. This kind of incidents
result from lax attitude of organizations and it affects the lives of consumers (Manworren et
al. 258). As a result, consumers switch this kind of company and certain break down in
economy of company takes place. In this case, the report generated by the watchdog has
mentioned that restructuring of IT system can be considered as one of the main reasons
behind occurrence of this issue of data breach. However, the management of this company
has denied this fact by saying that they have provided their best effort to ensure perfect
restructuring of IT system. According to Ablon et al. (125), it is important to improve IT
system of a company on a regular basis without harming existing system. The case of data
breach in Cathay Pacific is postulating that it may be possible that they have made mistakes
during the restructuring of IT system and hackers have got the chance of attacking database
of this company. Data breaching is one of the major concerns of this time as it has a long-
the aircraft. Hence, collection of personal details like contact is important for providing
prompt support to customers in a proper way.
3. Background of the issue
Data breach in Cathay specific can be considered as the largest case of breaching data
and this case has taken place in 2018. This company is holding well-designed IT structure
and employees of IT department of this airline company provide their best effort to protect
information of their customers. However, hackers have attacked several times and have
caused breaching of data impacting on approximately 9.4 million passengers. Solove (737)
has mentioned that protecting personal information of consumers is a primary responsibility
of a company and organizations are bound by legal system to provide their best effort to
avoid breaching of data. Several consequences are associated with the issue of data breach.
Breach of data due to negligence of a company negatively impacts its customer base.
Customers rely on organization and provide their personal information for purchasing
products or services. For example, customers of Cathay Pacific provide personal information
such as their name, contact details, passport details, and credit card and ID card details to this
company while booking flights. However, the incident of data breach has given access to this
information to unauthorized persons.
This company has not released the information regarding this mishap for seven
months for protecting their reputation. However, the Hong Kong privacy Watchdog has
investigated this case and they have produced a report on this matter. This kind of incidents
result from lax attitude of organizations and it affects the lives of consumers (Manworren et
al. 258). As a result, consumers switch this kind of company and certain break down in
economy of company takes place. In this case, the report generated by the watchdog has
mentioned that restructuring of IT system can be considered as one of the main reasons
behind occurrence of this issue of data breach. However, the management of this company
has denied this fact by saying that they have provided their best effort to ensure perfect
restructuring of IT system. According to Ablon et al. (125), it is important to improve IT
system of a company on a regular basis without harming existing system. The case of data
breach in Cathay Pacific is postulating that it may be possible that they have made mistakes
during the restructuring of IT system and hackers have got the chance of attacking database
of this company. Data breaching is one of the major concerns of this time as it has a long-
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
term effect on organizations and their customers. This kind of news spread easily and cause
damage to brand image. After the data breach case of Cathay, their brand image got
hampered and this organization is facing difficulties to retain loyal customers.
4. Reason of data breach, type of data breach and defense method
Reason behind the data breach
According to reports, data breach in Cathay Pacific has occurred due to overlooking
restructuring of IT infrastructure (Horton 1). Cathay Pacific has invested lots of funds in
improving their IT infrastructure but due to overlooking the restructuring of IT department,
vulnerability of breaching has increased. Trautman states that a database becomes vulnerable
due to poor programming practices and non-application of patches in a timely manner (1231).
This airline firm has used the software of Redhat for building an underlying open platform
infrastructure. Moreover, this firm has also used Amazon web services for holding different
customers facing applications. This includes online check-in systems, maintenance of flight
schedule and collection of fares. Customer data can be easily accessed by a hacker from these
applications that are hosted by a third party. However, the management of this organization
has overlooked this lack or gap in the operation procedure that is related to information
technology. This has increased vulnerability of customer’s data and can be considered as the
main cause of this breach of data.
On the other hand, Cathay retained Hong Kong identity card number even after 13
years of collection (Harris, Kamala and Attorney 2016). This has increased risk of these
cardholders. It can be seen that identity card numbers were accessed for 6%, which includes
52000 permit numbers, 243000 Hong Kong identity cards, and 310000 other identity cards.
This reflects poor data management of this organization. Saving old data can impact on
privacy of the previous user, which has been seen in this case. Old identity card details can be
removed, which can help to reduce vulnerability. Identity card information contains personal
information like date of birth and other details that needs to be protected by an organization
(Schatz, Daniel, and Rabih 73).
According to the report of Hong Kong watchdog, IT security system of Cathay Pacific
also contains many gaps that can be considered as another main reason for data breach. This
firm does not have effective multi-factor authentication. Smyth stated that two-factor
authentication helps an organization to provide improved security to consumers (5). It also
decreases the probability of hacking by an attacker, which increases security of computer and
damage to brand image. After the data breach case of Cathay, their brand image got
hampered and this organization is facing difficulties to retain loyal customers.
4. Reason of data breach, type of data breach and defense method
Reason behind the data breach
According to reports, data breach in Cathay Pacific has occurred due to overlooking
restructuring of IT infrastructure (Horton 1). Cathay Pacific has invested lots of funds in
improving their IT infrastructure but due to overlooking the restructuring of IT department,
vulnerability of breaching has increased. Trautman states that a database becomes vulnerable
due to poor programming practices and non-application of patches in a timely manner (1231).
This airline firm has used the software of Redhat for building an underlying open platform
infrastructure. Moreover, this firm has also used Amazon web services for holding different
customers facing applications. This includes online check-in systems, maintenance of flight
schedule and collection of fares. Customer data can be easily accessed by a hacker from these
applications that are hosted by a third party. However, the management of this organization
has overlooked this lack or gap in the operation procedure that is related to information
technology. This has increased vulnerability of customer’s data and can be considered as the
main cause of this breach of data.
On the other hand, Cathay retained Hong Kong identity card number even after 13
years of collection (Harris, Kamala and Attorney 2016). This has increased risk of these
cardholders. It can be seen that identity card numbers were accessed for 6%, which includes
52000 permit numbers, 243000 Hong Kong identity cards, and 310000 other identity cards.
This reflects poor data management of this organization. Saving old data can impact on
privacy of the previous user, which has been seen in this case. Old identity card details can be
removed, which can help to reduce vulnerability. Identity card information contains personal
information like date of birth and other details that needs to be protected by an organization
(Schatz, Daniel, and Rabih 73).
According to the report of Hong Kong watchdog, IT security system of Cathay Pacific
also contains many gaps that can be considered as another main reason for data breach. This
firm does not have effective multi-factor authentication. Smyth stated that two-factor
authentication helps an organization to provide improved security to consumers (5). It also
decreases the probability of hacking by an attacker, which increases security of computer and
online accounts. Different sensitive information can be protected by this process, which was
not adopted by this airline firm. Moreover, watchdog has also found that they have
unencrypted backups (Xu 587). Encryption of backups can help to take the security of
personal data such as email account passwords to the next level. Encryption of backups is
necessary to ensure data protection and eliminating the risk of hacking. In addition, it was
also found that management of Cathay Pacific has low-risk alertness. This firm is handling
millions of data of their customers still they do not have proper system to eliminate breach.
Management of a large and customer data-centric organization must be prepared to avoid risk
of breaching (Guobin 566). However, they have not given proper attention in managing this
vast amount of data and ensuring the protection of customer information. These are the main
reasons for this data breach and management of Cathay Pacific can be held responsible fully
for this incident.
Type of data breach
Different kinds of data breach are there and consequences of each of the categories
differ from each other. Different types of data breach include cyber attack, leaking
information by employees, loss of devices, human error and other kinds. Vu (2) has stated
that all of these types result in breaching of personal information that may harm people
personally. The present case study is postulating that data breach case of Cathay is
unexpected and it has impacted about 9.4 million passengers, who have traveled with this
Airline Company. This incident has resulted in breaching of the Data Protection Act 2019.
Buckman et al. (7) have mentioned that the Government of Hong Kong has introduced this
legislation for guiding people regarding protection of personal information. Cathay Pacific
has breached this legislation as they have failed to maintain confidentiality of data.
The Hong Kong Watchdog have investigated this matter and it has been found that a
total of two kinds of data breaching have taken place. This information is revealing lack of
perfection in data security system in Cathay. It is important for the IT department of every
organization to ensure strict monitoring of all activities that use stored data for avoiding this
kind of incident of data breaching (Zyskind, Guy, and Oz 181). Passengers are providing
their valuable information to this company and they must value their trust. Investigation taken
by this company itself has revealed that two groups of hackers were there to attack database
of this company. These hackers have taken different policies to breach data. In spite of high-
security system, these two groups have successfully hacked the database of Cathay and have
accessed personal information of customers. The first type of data breach has taken place on
22nd March of 2018. As per the investigation, malware has been used to hack the database of
not adopted by this airline firm. Moreover, watchdog has also found that they have
unencrypted backups (Xu 587). Encryption of backups can help to take the security of
personal data such as email account passwords to the next level. Encryption of backups is
necessary to ensure data protection and eliminating the risk of hacking. In addition, it was
also found that management of Cathay Pacific has low-risk alertness. This firm is handling
millions of data of their customers still they do not have proper system to eliminate breach.
Management of a large and customer data-centric organization must be prepared to avoid risk
of breaching (Guobin 566). However, they have not given proper attention in managing this
vast amount of data and ensuring the protection of customer information. These are the main
reasons for this data breach and management of Cathay Pacific can be held responsible fully
for this incident.
Type of data breach
Different kinds of data breach are there and consequences of each of the categories
differ from each other. Different types of data breach include cyber attack, leaking
information by employees, loss of devices, human error and other kinds. Vu (2) has stated
that all of these types result in breaching of personal information that may harm people
personally. The present case study is postulating that data breach case of Cathay is
unexpected and it has impacted about 9.4 million passengers, who have traveled with this
Airline Company. This incident has resulted in breaching of the Data Protection Act 2019.
Buckman et al. (7) have mentioned that the Government of Hong Kong has introduced this
legislation for guiding people regarding protection of personal information. Cathay Pacific
has breached this legislation as they have failed to maintain confidentiality of data.
The Hong Kong Watchdog have investigated this matter and it has been found that a
total of two kinds of data breaching have taken place. This information is revealing lack of
perfection in data security system in Cathay. It is important for the IT department of every
organization to ensure strict monitoring of all activities that use stored data for avoiding this
kind of incident of data breaching (Zyskind, Guy, and Oz 181). Passengers are providing
their valuable information to this company and they must value their trust. Investigation taken
by this company itself has revealed that two groups of hackers were there to attack database
of this company. These hackers have taken different policies to breach data. In spite of high-
security system, these two groups have successfully hacked the database of Cathay and have
accessed personal information of customers. The first type of data breach has taken place on
22nd March of 2018. As per the investigation, malware has been used to hack the database of
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
this renowned organization. This was the first attack by the first group of hackers. This group
of hackers is traced to 15th October of the year 2014. At that time this group has secretly
installed Keylogger malware to a new undisclosed system. This action has been performed
for harvesting credentials of users as per the report of investigation by this company.
Management of this company could be alert for future after occurrence of this kind of case of
data breach.
On the other hand, the second type of data breach has taken place in 13th march 2018.
This was the first attack by the second group of hackers. Evidence of last activity of this
group has been found on 11th May of 2018. This firm is currently using Amazon web
services to maintain their customer-facing systems. This information is easily available on the
internet. Cathay has spread this information to be transparent to all stakeholders. It is
important to understand that all information related to business activities cannot be shared for
security purposes (Safa et al. 65). However, the second group of hackers has gathered this
information and has studies application of this kind of third party system. Vulnerability of
customer-facing systems of this airline firm has helped the second group of hackers in data
breaching.
Defense method
This is an era of data-driven economy, hence it is essential for Cathay to adopt
proactive data management as corporate digital values. Preventing a breach attack is the
main defense method that can be adopted by and organization. This is an essential method of
defense that can be achieved isolating vital information that has a risk of breaching
(Abiteboul 3). Regular monitoring can help to detect reaching of accounts. Those accounts
can be isolated that can help to secure other accounts. After, containing the threat, it is
essential to prevent any further damage. Cathay management can discontinue the breached
accounts and blacklist the IP address from where breaching has initiated. Rather they did not
information regarding the incident that has escalated the breaching incident. It can be seen
that two groups of hacker have continued the breaching process but management neither has
nor monitored neither they have taken any preventive actions.
Another essential defense method is assessing the damage in the proper way.
Proper monitoring system and advanced infrastructure can help to assess damage due to
breaching (Shen et al. 332). This method of defense can be implemented after preventing a
breach attack. This method can help investigators to investigate the source and type of breach
and damage that it has caused. Conteh and Schmick (31) mentioned that proper investigation
can help a company take appropriate strategies to stop any further damage to essential data
of hackers is traced to 15th October of the year 2014. At that time this group has secretly
installed Keylogger malware to a new undisclosed system. This action has been performed
for harvesting credentials of users as per the report of investigation by this company.
Management of this company could be alert for future after occurrence of this kind of case of
data breach.
On the other hand, the second type of data breach has taken place in 13th march 2018.
This was the first attack by the second group of hackers. Evidence of last activity of this
group has been found on 11th May of 2018. This firm is currently using Amazon web
services to maintain their customer-facing systems. This information is easily available on the
internet. Cathay has spread this information to be transparent to all stakeholders. It is
important to understand that all information related to business activities cannot be shared for
security purposes (Safa et al. 65). However, the second group of hackers has gathered this
information and has studies application of this kind of third party system. Vulnerability of
customer-facing systems of this airline firm has helped the second group of hackers in data
breaching.
Defense method
This is an era of data-driven economy, hence it is essential for Cathay to adopt
proactive data management as corporate digital values. Preventing a breach attack is the
main defense method that can be adopted by and organization. This is an essential method of
defense that can be achieved isolating vital information that has a risk of breaching
(Abiteboul 3). Regular monitoring can help to detect reaching of accounts. Those accounts
can be isolated that can help to secure other accounts. After, containing the threat, it is
essential to prevent any further damage. Cathay management can discontinue the breached
accounts and blacklist the IP address from where breaching has initiated. Rather they did not
information regarding the incident that has escalated the breaching incident. It can be seen
that two groups of hacker have continued the breaching process but management neither has
nor monitored neither they have taken any preventive actions.
Another essential defense method is assessing the damage in the proper way.
Proper monitoring system and advanced infrastructure can help to assess damage due to
breaching (Shen et al. 332). This method of defense can be implemented after preventing a
breach attack. This method can help investigators to investigate the source and type of breach
and damage that it has caused. Conteh and Schmick (31) mentioned that proper investigation
can help a company take appropriate strategies to stop any further damage to essential data
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
and information of the organization. It is very essential to achieve good knowledge regarding
the procedure of attack, which can help the organization to prevent this type of attack in
future. Knowledge about different factors like vector of attack, sensitiveness of breached data
and type of data impacted needs to be obtained. Hence, detailed investigation regarding the
damage can be considered as an essential method of defense.
Security audit is another important defense method that is very essential for large
multinational firms like Cathay Pacific, which serves millions of customers. Peltier (22) has
stated that security audit helps to assess a firm's current data security systems and future
preparations. Cathay Pacific management thinks that their security systems are efficient
enough to protect consumers' data. However, breaching of 9 million consumer data has
happened in 2018, which has impacted in brand image and reputation of the company. It was
found that security systems were poor and unmonitored. Moreover, data were unencrypted
that has made the task of hackers easy. DNS audit can be enforced by the Cathay Pacific that
can help them to secure the entire IT infrastructure of this company. Regular audit can help to
understand the necessity of preventive steps like two-factor authentication and data
encryption (Lopez et al. 61). These steps can help Cathay Pacific to protect vital personal
information of consumers and employees. Hence, business can be continued in an ethical
way. Lack of proper audit and these preventive steps are the main cause of this massive
breach attack, which is identified by Hong Kong watchdog. Moreover, as a defense method
up-gradation of monitoring process is required. Management must recruit able employees and
experts who can control the system and frame effective strategies to manage big data.
5. Gap in the current defense method
Failure of 1st line defense
Poor management control of Cathay specific can be considered as one of the main
reasons behind the data breach case of Cathay Pacific. After this incident, management
system of this company has been questioned by other stakeholders. The government of Hong
Kong has taken initiatives against this company for this case. The Privacy Commissioner for
Personal Data (PCPD) has produced a notice of enforcement against this company accessing
personal information of near about 9.4 million customers. Buczak, Anna, and Erhan (1153)
have narrated that management team is the head of an organization and they control activities
of other departments within an organization. In this case, the management of this company
has failed to manage cyber security system of this company. After the incident of data breach,
the procedure of attack, which can help the organization to prevent this type of attack in
future. Knowledge about different factors like vector of attack, sensitiveness of breached data
and type of data impacted needs to be obtained. Hence, detailed investigation regarding the
damage can be considered as an essential method of defense.
Security audit is another important defense method that is very essential for large
multinational firms like Cathay Pacific, which serves millions of customers. Peltier (22) has
stated that security audit helps to assess a firm's current data security systems and future
preparations. Cathay Pacific management thinks that their security systems are efficient
enough to protect consumers' data. However, breaching of 9 million consumer data has
happened in 2018, which has impacted in brand image and reputation of the company. It was
found that security systems were poor and unmonitored. Moreover, data were unencrypted
that has made the task of hackers easy. DNS audit can be enforced by the Cathay Pacific that
can help them to secure the entire IT infrastructure of this company. Regular audit can help to
understand the necessity of preventive steps like two-factor authentication and data
encryption (Lopez et al. 61). These steps can help Cathay Pacific to protect vital personal
information of consumers and employees. Hence, business can be continued in an ethical
way. Lack of proper audit and these preventive steps are the main cause of this massive
breach attack, which is identified by Hong Kong watchdog. Moreover, as a defense method
up-gradation of monitoring process is required. Management must recruit able employees and
experts who can control the system and frame effective strategies to manage big data.
5. Gap in the current defense method
Failure of 1st line defense
Poor management control of Cathay specific can be considered as one of the main
reasons behind the data breach case of Cathay Pacific. After this incident, management
system of this company has been questioned by other stakeholders. The government of Hong
Kong has taken initiatives against this company for this case. The Privacy Commissioner for
Personal Data (PCPD) has produced a notice of enforcement against this company accessing
personal information of near about 9.4 million customers. Buczak, Anna, and Erhan (1153)
have narrated that management team is the head of an organization and they control activities
of other departments within an organization. In this case, the management of this company
has failed to manage cyber security system of this company. After the incident of data breach,
management of this firm has mentioned that still, they are changing some of their business
operations and cloud security systems for avoiding this kind of information in the future.
They have admitted that IT system of this company can be improved further to maintain
confidentiality of data. It means that managers of this company have no performed their duty
with dedication and their negligence has helped hackers to access information of their 9.4
million consumers.
It is the duty of a manager to maintain transparency between organizations and their
stakeholders (Fielder et al. 13). In this case, the management of this company intentionally
did not maintain transparency and tried to hide the incident of data breach. Management has
taken near about seven months to share this information with their customers. It is clear that
the management did not have enough courage to talk about this issue. Two different groups
of hackers have attacked database of this company and the manager could disclose this kind
of issues after the very first attack. It is necessary for managers to develop contingency plan
in advance as per recognition of potential risks (Gupta et al. 25). In case of Cathay Pacific,
none of these actions have been taken by the manager. This was the main reason behind the
failure of the first line of defense. This organization uses Amazon Web Service to maintain
its customer-specific applications and Redhat software is being used to develop open
infrastructures. Decision of managers regarding use of this kind of front-end applications can
cause breaching of data (Graham 26). These kind of third party applications provide access to
many people and it is easier for hackers to hack this kind of applications easily. Management
team of this company could have planned for hiring cyber security experts to maintain the
privacy of personal information of their customers. They have used very common application
to maintain their operating systems. Functional areas of these applications are known to all
and this information has helped hackers of the second group to access private data of
passengers those got impacted.
This company has cut its cost of management after this incident and has redesigned its
organizational structure. It means that they have identified gaps in their management control
that has led to the occurrence of the data breach incident. Managers have not monitored all
operations carefully and it is being assumed that hackers have got the opportunity of hacking
during the period of restructuring of IT system. Modifying IT system is a difficult task as the
entire database system relies on IT infrastructures. Better controlling on activities in
improving IT system could be ensured by the management of Cathay Pacific (Ben-Asher 51).
On the other hand, poor management control over human resource is one of the main causes
behind data breaching. Employees are not trained properly to use the latest technologies and
operations and cloud security systems for avoiding this kind of information in the future.
They have admitted that IT system of this company can be improved further to maintain
confidentiality of data. It means that managers of this company have no performed their duty
with dedication and their negligence has helped hackers to access information of their 9.4
million consumers.
It is the duty of a manager to maintain transparency between organizations and their
stakeholders (Fielder et al. 13). In this case, the management of this company intentionally
did not maintain transparency and tried to hide the incident of data breach. Management has
taken near about seven months to share this information with their customers. It is clear that
the management did not have enough courage to talk about this issue. Two different groups
of hackers have attacked database of this company and the manager could disclose this kind
of issues after the very first attack. It is necessary for managers to develop contingency plan
in advance as per recognition of potential risks (Gupta et al. 25). In case of Cathay Pacific,
none of these actions have been taken by the manager. This was the main reason behind the
failure of the first line of defense. This organization uses Amazon Web Service to maintain
its customer-specific applications and Redhat software is being used to develop open
infrastructures. Decision of managers regarding use of this kind of front-end applications can
cause breaching of data (Graham 26). These kind of third party applications provide access to
many people and it is easier for hackers to hack this kind of applications easily. Management
team of this company could have planned for hiring cyber security experts to maintain the
privacy of personal information of their customers. They have used very common application
to maintain their operating systems. Functional areas of these applications are known to all
and this information has helped hackers of the second group to access private data of
passengers those got impacted.
This company has cut its cost of management after this incident and has redesigned its
organizational structure. It means that they have identified gaps in their management control
that has led to the occurrence of the data breach incident. Managers have not monitored all
operations carefully and it is being assumed that hackers have got the opportunity of hacking
during the period of restructuring of IT system. Modifying IT system is a difficult task as the
entire database system relies on IT infrastructures. Better controlling on activities in
improving IT system could be ensured by the management of Cathay Pacific (Ben-Asher 51).
On the other hand, poor management control over human resource is one of the main causes
behind data breaching. Employees are not trained properly to use the latest technologies and
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
their mistakes can be beneficial for hackers, who are targeting database of this company.
Self-development of HR managers is required to manage employees. Better management
control could be established by providing necessary training to employees of different
departments.
Failure of the 2nd line defense
The second line of defense constitutes standard setters who establish policy and
process for managing risks. Knowles et al. (53) stated that standard setters provide guidance
regarding coordination for eliminating risks. In the case of Cathay Pacific, it can be seen that
breach has not occurred due to a single point. It involves failure of each defense system
including standard setters. Standard setters of this company include CEO and corporate
board, which includes experts from IT department. Standard of security policies is framed
and revised by these standard setters, which has failed in this case. Risk process
accountability is dependent on these groups of a firm. These standard-setters act as a bridge
between first and third line of defense. In this case, it is the duty of standard setters to propose
an ethical way of managing essential data and valuable information regarding customers and
employees. Lee (11) mentioned that it is the duty of standard setters to identify opportunities
for change in an organization. However, standard setter of Cathay Pacific has overlooked the
need for restructuring of IT department. Standard setters have not set any ethical standards
and it can be seen that different information about operations is leaked on the internet from
2007. This has given ample chances to hackers for continuing their operations.
Policies and procedures of data security must be revised by this defense line and set proper
policies that can help to save consumers data. These policies and guidelines can help the first
line of defense or management to exert proper control on security systems.
Lack of any proper standard of data protection can be identified as a gap in current
defense systems of Cathay Pacific airlines. The first line of defense that is management
control can be successfully operated if standard-setters frame proper guidelines and policies.
It is the accountability of standard-setter in IT department to ensure cyber security (Do et al.
30). Different process of ethical storage of data needs to be framed by this group of defense
line. However, it can be seen that data of previously submitted identity cards were breached,
which should be protected or removed from storage. Moreover, no proper standards were
maintained to store virtual information like credit card numbers. 430 credit card numbers
were accessed by the hacker out of which 27 are expired (Abomhara 65). Hence, it is proved
that the second line of defense was also failed and there is a gap in this defense line. For
mitigating this gap, help of experts needs to be taken for setting appropriate standards to
Self-development of HR managers is required to manage employees. Better management
control could be established by providing necessary training to employees of different
departments.
Failure of the 2nd line defense
The second line of defense constitutes standard setters who establish policy and
process for managing risks. Knowles et al. (53) stated that standard setters provide guidance
regarding coordination for eliminating risks. In the case of Cathay Pacific, it can be seen that
breach has not occurred due to a single point. It involves failure of each defense system
including standard setters. Standard setters of this company include CEO and corporate
board, which includes experts from IT department. Standard of security policies is framed
and revised by these standard setters, which has failed in this case. Risk process
accountability is dependent on these groups of a firm. These standard-setters act as a bridge
between first and third line of defense. In this case, it is the duty of standard setters to propose
an ethical way of managing essential data and valuable information regarding customers and
employees. Lee (11) mentioned that it is the duty of standard setters to identify opportunities
for change in an organization. However, standard setter of Cathay Pacific has overlooked the
need for restructuring of IT department. Standard setters have not set any ethical standards
and it can be seen that different information about operations is leaked on the internet from
2007. This has given ample chances to hackers for continuing their operations.
Policies and procedures of data security must be revised by this defense line and set proper
policies that can help to save consumers data. These policies and guidelines can help the first
line of defense or management to exert proper control on security systems.
Lack of any proper standard of data protection can be identified as a gap in current
defense systems of Cathay Pacific airlines. The first line of defense that is management
control can be successfully operated if standard-setters frame proper guidelines and policies.
It is the accountability of standard-setter in IT department to ensure cyber security (Do et al.
30). Different process of ethical storage of data needs to be framed by this group of defense
line. However, it can be seen that data of previously submitted identity cards were breached,
which should be protected or removed from storage. Moreover, no proper standards were
maintained to store virtual information like credit card numbers. 430 credit card numbers
were accessed by the hacker out of which 27 are expired (Abomhara 65). Hence, it is proved
that the second line of defense was also failed and there is a gap in this defense line. For
mitigating this gap, help of experts needs to be taken for setting appropriate standards to
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
ensure cyber security. Moreover, the risk areas of data breach like storage of customer’s
information like card number and other personal details need to be managed. But in this case,
risk areas are over sighted.
Failure of 3rd line defense
The third line of defense consists of independent assurance providers who need to
provide groups reports to the management. This group includes both internal and external
auditors and chief risk officer. However, in this case, there is no mention of any third line
defense. It is mentioned that they invest huge funds in increasing infrastructure of
information technology. However, there is no mention of regular audits of data storage and
safety. Van et al. (547) said that it is essential to conduct regular cyber security audits that
can help to minimize the risk of breach. Management of this company has taken a lax
approach to maintain data security. This has impacted the security system of essential data.
Hence, it can be said that lapse of the third line of defense can also be seen. It is very
important for auditors and other assurance providers to maintain communication with
standard setter (Berendt 36). This can help them to gain proper control in the auditing
process. Moreover, regular auditing with respect to security of vital data and information of
customers can help a firm to ensure protection. Any breach of data and loss of vital
information can be noticed by the process of regular auditing.
Lack of proper auditing is seen in this case of Cathay Pacific. This has led to delay in
the announcement of the breach incident. It was seen that seven-month delay has occurred for
announcing the incident. Management of this organization has said that they need proper time
to understand regarding the data that was accessed by the hackers. This has occurred due to
the absence or inefficiency of audit teams and other assurance providers. Regular auditing
can help to detect any breach in the data storage and amount of data loss can be detected (Van
23).
The above discussion depicts that it's not a failure of a particular department or
person. Whole IT security system of Cathay Pacific has failed that has helped the hackers in
the breathing process. All three lines of defense have failed to some extent in this breaking
process (Knorr 38). However, the first line of defense that is management control can be held
responsible for this incident. Lack of security and monitoring and improper management of
data has facilitated this breaching process.
information like card number and other personal details need to be managed. But in this case,
risk areas are over sighted.
Failure of 3rd line defense
The third line of defense consists of independent assurance providers who need to
provide groups reports to the management. This group includes both internal and external
auditors and chief risk officer. However, in this case, there is no mention of any third line
defense. It is mentioned that they invest huge funds in increasing infrastructure of
information technology. However, there is no mention of regular audits of data storage and
safety. Van et al. (547) said that it is essential to conduct regular cyber security audits that
can help to minimize the risk of breach. Management of this company has taken a lax
approach to maintain data security. This has impacted the security system of essential data.
Hence, it can be said that lapse of the third line of defense can also be seen. It is very
important for auditors and other assurance providers to maintain communication with
standard setter (Berendt 36). This can help them to gain proper control in the auditing
process. Moreover, regular auditing with respect to security of vital data and information of
customers can help a firm to ensure protection. Any breach of data and loss of vital
information can be noticed by the process of regular auditing.
Lack of proper auditing is seen in this case of Cathay Pacific. This has led to delay in
the announcement of the breach incident. It was seen that seven-month delay has occurred for
announcing the incident. Management of this organization has said that they need proper time
to understand regarding the data that was accessed by the hackers. This has occurred due to
the absence or inefficiency of audit teams and other assurance providers. Regular auditing
can help to detect any breach in the data storage and amount of data loss can be detected (Van
23).
The above discussion depicts that it's not a failure of a particular department or
person. Whole IT security system of Cathay Pacific has failed that has helped the hackers in
the breathing process. All three lines of defense have failed to some extent in this breaking
process (Knorr 38). However, the first line of defense that is management control can be held
responsible for this incident. Lack of security and monitoring and improper management of
data has facilitated this breaching process.
6. Lack of security
After the incident of data breach, passengers are not feeling secure with Cathay
Pacific. Lack of proper security system is the main reason behind this kind of incident
(Kogiso, Kiminao, and Takahiro 23). This company is bound to deal with a large amount of
customer’s information. Hence, they are liable to install effective security system to protect
personal information of passengers. Lack of skilled IT experts is one of the main security
gaps in Cathay Pacific. After this incident, the Hong Kong Privacy Watchdog has
investigated this case and they have suggested this company to hire skilled expert IT persons
for improving data security system. HR department of this company must focus on self-
development and they must hire efficient staff, which has prior experience in the field of IT
(Kerber et al. 856). Candidates must be chosen based on their experience and abilities. After
testing their abilities, they can be hired and given the responsibility of handling information.
Clear evidence has not been found that can prove that poor controlling of IT restructuring has
caused this incident of data breach. However, lack of monitoring if restructuring have been
noticed and it is being assumed that this restructuring of IT system has not been done
properly. Lax attitude of management towards IT restructuring has become the main cause
behind security lapse (Vincent et al. 77).
Whitty et al. (3) have narrated that third party services are being used by large
multinational companies for their easy application. However, it is not easy to maintain
confidentiality of data while using this kind of applications. Most of the third-party
applications are highly vulnerable and hackers can hack these applications easily. This kind
of applications is cost and time-efficient. Ease of using this application attracts management
of large organizations such as Cathay towards these applications. This company is using third
party applications from renowned organizations such as Amazon and Redhat. However,
applications of these services are easier and known to many people. Hackers have this
information and it has helped them to hack the database of this company. Proper training has
not been provided to employees to handle these services and gap in security system has been
formed (Stevens 25). This organization could hire experts to train existing IT professionals
within this company for maintaining strong security system.
Cathay Pacific has not followed some basic principles of data protection that has
hampered personal information of millions of customers. Basic principles include encrypting
essential data. This is the most essential step that every big firm needs to take. This can be
identified as a technical fault that has facilitated the hackers. Maglaras et al. (42) opined that
After the incident of data breach, passengers are not feeling secure with Cathay
Pacific. Lack of proper security system is the main reason behind this kind of incident
(Kogiso, Kiminao, and Takahiro 23). This company is bound to deal with a large amount of
customer’s information. Hence, they are liable to install effective security system to protect
personal information of passengers. Lack of skilled IT experts is one of the main security
gaps in Cathay Pacific. After this incident, the Hong Kong Privacy Watchdog has
investigated this case and they have suggested this company to hire skilled expert IT persons
for improving data security system. HR department of this company must focus on self-
development and they must hire efficient staff, which has prior experience in the field of IT
(Kerber et al. 856). Candidates must be chosen based on their experience and abilities. After
testing their abilities, they can be hired and given the responsibility of handling information.
Clear evidence has not been found that can prove that poor controlling of IT restructuring has
caused this incident of data breach. However, lack of monitoring if restructuring have been
noticed and it is being assumed that this restructuring of IT system has not been done
properly. Lax attitude of management towards IT restructuring has become the main cause
behind security lapse (Vincent et al. 77).
Whitty et al. (3) have narrated that third party services are being used by large
multinational companies for their easy application. However, it is not easy to maintain
confidentiality of data while using this kind of applications. Most of the third-party
applications are highly vulnerable and hackers can hack these applications easily. This kind
of applications is cost and time-efficient. Ease of using this application attracts management
of large organizations such as Cathay towards these applications. This company is using third
party applications from renowned organizations such as Amazon and Redhat. However,
applications of these services are easier and known to many people. Hackers have this
information and it has helped them to hack the database of this company. Proper training has
not been provided to employees to handle these services and gap in security system has been
formed (Stevens 25). This organization could hire experts to train existing IT professionals
within this company for maintaining strong security system.
Cathay Pacific has not followed some basic principles of data protection that has
hampered personal information of millions of customers. Basic principles include encrypting
essential data. This is the most essential step that every big firm needs to take. This can be
identified as a technical fault that has facilitated the hackers. Maglaras et al. (42) opined that
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 17
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
 +13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.