Cathay Pacific leaks data of 9.4 million customers

Plus, the DoJ accuses Chinese nationals of cybercrimes, and China accuses the CIA of cybercrimes. Plus, even more cybercrimes!

International airline Cathay Pacific, based in the UK, was issued a £500,000 fine by the Information Commissioner’s Office (ICO) for a data breach that occurred continuously between October 2014 and May 2018. According to the ICO’s notice, approximately 9.4 million data subjects were affected by the breach, which leaked information such as names, nationalities, birth dates, phone numbers, email addresses, and passport numbers for Cathay Pacific customers around the world. 

The company learned of the breach when one of their systems suffered a brute force attack in 2018. As experts investigated the attack on that system, they discovered that four other systems within the company had already been compromised by two different attackers, with the earliest unauthorized access occurring four years previously. Avast security evangelist Luis Corrons sees Cathay Pacific as a cautionary tale, commenting, “Any company can become a victim – attackers only have to succeed once. That’s why it’s critical to be vigilant and always assume that attackers are already in your network. The fact that different actors have been inside Cathay Pacific’s network for years without the company noticing shows that security was not a major concern, and they are lucky they are getting off with a cheap fine.”

The ICO cited a number of deficiencies in the company’s data security including unencrypted backups, outdated software, and easy internet access to the company’s servers. Because the discovery and securing of the breach happened before GDPR took effect in May 2018, the ICO based the fine on the Data Protection Act of 2018, invoking the maximum penalty allowed, which is £500,000. Under GDPR guidelines, the fine would have been much greater.

DoJ charges Chinese nationals with laundering $100 million

The U.S. Department of Justice has indicted two Chinese nationals for laundering over $100 million in cryptocurrency. In a press release issued this week, the DoJ detailed the indictment, alleging that after North Korean hackers stole nearly $250 million from a cryptocurrency exchange, the two Chinese nationals then laundered over $100 million of it through illegal virtual currency exchange operations. The case was a collaborative effort led by the IRS Criminal Investigations division, the FBI, Homeland Security Investigations, and the Korean National Police. 

This week’s stat

Nearly 50 Netgear router models require firmware updates due to a wide variety of security flaws – from remote malware installations to authentication-bypass issues.

Chinese security firm accuses CIA of cyber-espionage

Qihoo 360, a security vendor in China, published a blog post claiming the CIA has been launching cyberattacks at China’s critical industries for the last eleven years. The company contends that evidence, such as the type of malware discovered, proves that the CIA has made targeted attacks against Chinese aviation organizations, scientific research institutions, the petroleum industry, internet companies, and government agencies. A Bleeping Computer article stated that other security experts tracking CIA hacking campaigns have reported activity that matches Qihoo 360’s claims.

This week’s quote 

“Applications are still the most common way in for an attacker.” - Sandy Carielli, principal analyst at tech research firm Forrester, talking to Avast guest blogger Byron Acohido about why CEOs have stopped tweeting.

Tesla, SpaceX supply chain hit with ransomware

Visser Precision, a Denver-based custom parts manufacturer that counts Tesla, SpaceX, and Boeing among its clients, sent an emailed statement to the press that it was “the recent target of a criminal cybersecurity incident, including access to or theft of data.” Tech Crunch reported that the company was in fact hit with DoppelPaymer ransomware, as confidential data from Visser’s servers have appeared on the “DoppelPaymer Leaks” website, where the criminal organization posts the stolen and encrypted data of its victims who do not pay. 

This week’s ‘must-read’ on The Avast Blog

Now that Super Tuesday has come and gone, the race to the White House is only going to get more intense. Follow these four tips for a sane and secure election season.

German BSI advises not to pay ransoms

Germany’s federal cybersecurity agency BSI officially announced to local German authorities and municipalities that in the case of any ransomware attack, the guidance is to refrain from paying the ransom. Bleeping Computer reported that many offices of German leadership banded together to support the guidance, issuing a joint statement encouraging all divisions of the government to work together to give the message to ransomware attackers that German municipalities will not give in to blackmail. The FBI issued a similar PSA to U.S. business owners in October 2019.

Microsoft engineer stole over $10 million 

Volodymyr Kvashuk, a 25-year-old Ukrainian citizen residing in Washington state, was convicted last week in a Seattle court for abusing his position as a Microsoft engineer to steal over $10 million in digital currency. Kvashuk worked at Microsoft from August 2016 to June 2018, when he was fired. During his time at the company, one of his duties was testing its online retail sales platform. Prosecuting attorneys maintained that Kvashuk used his testing access to steal “currency stored value,” such as digital gift cards, and then resell that digital currency on the internet. Kvashuk perpetuated this scheme over seven months, during which he made $2.8 million in bitcoin. Kvashuk was convicted of 18 felonies including wire fraud, money laundering, aggravated identity theft, and filing false tax returns. He will be sentenced in June, where he could face up to 20 years in prison. 


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN. Get advertisers off your back and disguise your online identity for greater privacy with Avast AntiTrack.

Related articles

--> -->