Cathay Pacific just announced that a possible 9,1 million records of user data were exposed to attackers in the latest of breach of an airline.

What concerns me about this breach is that it actually happened long before the British Airways breach. The breach on Cathay Pacific allegedly happened as far back as March.

What is even stranger is apparently that only 403 credit cards were stolen and were all expired.  I don’t know, 9,1 million user details and all you can say is no passwords or credit card details where exposed? Something seems a little fishy.

Either way 9,1 million emails, addresses, and account details are in the hands of another attacker; and we only find out about it 6 months down the line and only after the British Airways shock.

There is a lot of calculated timing to slow down the burn on this. Had the details showed up on the web, this would have backfired so bad for Cathay Pacific.

What’s the moral of the story? Easy; have an incident response ready for your team and be transparent about what happens.

If you are hosting sensitive data, and you know someone has access to it, it is your duty to report and defend that.  Don’t bury your head in the sand and hope for better days, be noble, be brave and face your issues when they happen.