I'm willing to bet some of it is pretty critical[valid credit card details?], it might end up in the Dark Web, auctioned off or something like that.
Some of it is useless (not valid anymore, or just junk emails used to sign up).
Cathay doesn't tell us what else has been leaked (or they don't know), but what if there's a team on the other end of the hacks that actually analyses the meta data of these hacks, and finds out the frequency of movement of some people, and add that to their 'alpha' ?
I do wonder when/if companies will move wholesale to avoiding security mechanisms that rely on the secrecy of particular pieces of static information (e.g. passport numbers, Social Security Numbers (In the US)) etc.
The number of breaches of personal data now mean that in many/most cases an assumption that only a person knows something about them is extremely unlikely to hold across a large userbase.
Of course you then fall back to "how do you validate that someone is who they say they are" and probably things like biometrics, and/or other forms of 2FA will need to feature.
"The company has no evidence that any personal information has been misused." Yeah? Well my dog has no evidence of these details being misused either, but I would still trust his opinion over Cathay's on this topic.
Edit: "If my personal information was accessed, how might I be affected?
We are very sorry for any concern that this may cause you."
So .. please change your passport number, birthday and previous travel history if you are still concerned?
So infuriating. The people who SHOULD be impact by this are Cathay Pacific share holders and senior management, whom should get a rinsing due to fines.
It is unclear from any reporting as to how this technically happened, which is a shame but hopefully that will be made public in the coming days. Some other outlets[0] have an interesting statement:
> The breach also included details about where each passenger had traveled and any comments made by customer service representatives. The amount of data accessed varied among passengers.
Based on those details, and the mention of 'no passwords were compromised', chances are this breach has come from an internal helpdesk type system, or possibly CRM. If however the statement around the passwords changes, that opens up a few other possibilities.
What this doesn't sound like, are the attacks we saw on British Airways[1] and Ticketmaster[2], where javascript was injected into the payment pages to vacuum up payment details from customers.
The statement around "The company has no evidence that any personal information has been misused" is always an interesting one, and is one of the many reasons I created my startup Breach Insider[3], so that data breaches like this could be detected much sooner (not 7 months later, as we have seen here), with minimal false positive alerts, and definitive evidence if any data has been misused. By using real email addresses that are unique to each company/business, you can be sure to find out if that data ever leaks & is abused for things like spam or phishing.
