<轉載自2018年10月26日 明報 社評>
國泰航空與子公司港龍航空約940萬名乘客私隱資料遭「不當取覽」,是國際航空界歷來最嚴重乘客資料外泄事件。國泰扎根香港,曾是全球最佳航空公司,網絡保安不應兒戲,今次有大量乘客資料外泄,有負市民信任。國泰未有盡速通知當局和市民,延宕近半年才公布,交代語焉不詳,令人難以接受。本港私隱條例落後,不少企業對網絡安全警覺不足,政府有必要盡快修例引入嚴厲罰則,督促企業加強網絡保安,保障市民個人資料。
延宕多月公布不合理 「擔憂製造恐慌」非藉口
國泰外泄的資料,包括86萬個護照號碼、24.5萬個香港身分證號碼、430張已逾期或無安全碼的信用卡號碼,其他未獲授權取覽的資料,還有乘客姓名、國籍、出生日期、電話號碼、電郵及實際地址等。國泰表示,受影響的940萬名乘客,超過一半乘客只有姓名與電郵或電話號碼遭「不當取覽」,沒有帳戶密碼等「敏感資料」外泄,受影響客戶日內會收到通知,市民亦可登入特設網站了解事件。國泰高層強調已堵塞保安漏洞,又說無證據顯示有任何個人資料遭不當動用,乘客「毋須擔心金錢損失」,若客戶真有損失,國泰會酌情處理。
國泰大派定心丸,然而市民觀感卻是另一回事。國泰是植根香港逾70年的大公司,市民對國泰有期望,網絡保安理應穩妥,今次事件已令所有曾經搭乘的市民難以安心,國泰管理層事後處理就更加糟糕。國泰由今年3月發現可疑迹象、5月確認出事,直至前晚才公布事件,市民一直蒙在鼓裏,令人難以接受。事件曝光以來,國泰對出事原因等細節語焉不詳,既未講清楚外泄資料涵蓋年期時段、資料是否已被盜走、是否黑客所為,亦未明確承諾為乘客的直接和間接損失負責。國泰選擇在深夜時分發出公告,未有召開記者會交代,實非一間負責任大公司所為。
國泰解釋,由於調查工作需時,公司希望先弄清楚整件事,做好跟進配套安排,不想「製造無謂恐慌」,所以直至本周才公布事件。有關說法叫人質疑國泰管理層不知輕重。誠然,國泰很難僅僅因為今年3月發現資料出現「異動」,未弄清事態便急急拉響警報,可是也得尊重公眾知情權。5月份國泰確認有個人資料外泄,在大致掌握哪些乘客資料涉事後,便應該盡快通報,沒理由耽擱多月才發放消息。
今年8月底有黑客入侵英航資料庫,38萬顧客信用卡資料外泄,上月英航發現後迅即發出通知,同時承諾賠償顧客損失。英航的果斷做法,與國泰歎慢板可謂判若天淵。當然,國泰遭「不當取覽」的乘客資料,暫時未證實涉及大量信用卡資料,與英航事態有異,可是國泰聲稱沒有「敏感資料」外泄,市民毋須擔心,云云,卻令人懷疑管理層不明白個人私隱資料外泄的嚴重性,只顧淡化事件。
現今黑客垂涎的不僅是信用卡資料,還包括護照號碼等個人資料,網絡罪犯可以利用受害者私隱資料,盜竊身分在網上進行各式欺詐活動。航空業和旅遊界擁有大量顧客身分資料,近年已成為網絡罪犯下手的主要對象,本港亦不止一次有旅行社中招。國泰表示未有證據顯示任何個人資料遭不當動用,不代表受影響市民可以安寢無憂。
港企網絡安全意識低 政府須修例加強罰則
九一一襲擊後,航空業對飛行保安把關極嚴,惟對乘客私隱保安卻未夠重視,直至近年才開始意識到網絡犯罪威脅。今年以來,多間國際航空公司都發生乘客資料外泄事件,除了國泰和英航,達美航空也表示有黑客入侵外判商電腦系統,數十萬顧客的個人支付資料外泄。國泰管理層必須改變思維,加強網絡保安,以防再有同類事故發生。
香港對網絡安全意識甚低。由早前香港寬頻38萬客戶資料失竊,到今次國泰出事,均反映本港企業對網絡安全警覺不足,大公司表現未如理想,中小企情况更加令人憂心。去年國泰裁減資訊科技部門員工,有否影響公司網絡保安工作、埋下資料外泄禍根,暫難判斷,惟近年本地公司裁員,資訊科技保安部門往往是開刀對象,卻折射了企業對網絡安全掉以輕心的態度。
政府銳意推動創科,可是有關科技和私隱的條例卻相當落後。根據歐盟最新規例,若發生大型資料外泄事故,涉事企業須於72小時內通報,違者罰款最高可達年度全球營業額4%,反觀香港《個人資料(私隱)條例》,並未規定企業在個人資料外泄事故後必須通報,是否披露全屬自願,企業缺乏動力花錢加強網絡保安。本港私隱條例於21年前訂立,很多條文內容已經過時,未符刻下網絡時代需要,政府必須盡快修訂條例,加強通報機制和罰則,以免私隱專員公署淪為無牙老虎。
Cathay Pacific's data breach incident
THE personal data of about 9.4 million passengers of Cathay Pacific and
its subsidiary Cathay Dragon was "accessed without authorisation" in
the worst leak of passenger data in the history of the international airline
industry. Instead of notifying the authorities and the public as soon as
possible, the company delayed announcing the incident for nearly six months.
This is unacceptable. Hong Kong's privacy ordinance is outdated and a lot of
corporations are not vigilant enough about cyber security. The government
should amend the law as soon as possible to introduce heavy penalties and urge
corporations to enhance their cyber security to protect the personal data of
citizens.
Cathay Pacific is a big corporation that has been based in Hong Kong for
over 70 years. Its cyber security is expected to be impregnable. The incident
has left all who have flown with the airline worried. The way Cathay's
management handled the incident afterwards was even worse. The company detected
suspicious activities last March and confirmed in May that personal data of its
passengers had been stolen. However, the company only made public the incident
the evening before last. The public was kept in the dark all these months.
The explanation that Cathay Pacific has given is that the investigation
took time, and to avoid creating "unnecessary panic", they wanted to
find out what had happened so that they could take proper follow-up action and
make necessary arrangements. It is true that it was hard for Cathay Pacific to
raise the alarm immediately last March just because "abnormalities"
were detected without fully understanding what had happened. However, the
company must respect the public's right to know. When the company received
confirmation in May that passengers' personal data had been leaked and knew
roughly who were affected, it should have notified the passengers promptly
instead of waiting for so many months before disclosing the incident. Even
though Cathay Pacific has reassured the public that there is no evidence that
any personal data has been misused, it does not mean that the affected
citizens' worries can be put to rest.
In Hong Kong, the awareness of cyber security is very low. The personal
data of 380,000 customers of Hong Kong Broadband was stolen not long ago, and
now it is Cathay Pacific. This shows that Hong Kong companies are not vigilant
enough about cyber security. While the performance of big corporations is far
from satisfactory, the situation of small- and medium-sized enterprises is even
more worrying. Last year, Cathay Pacific laid off a number of employees from
its information technology department. For now, it is hard to judge whether this
has affected the cyber security work of the company and sowed the seeds of the
data leak. However, the fact that information technology departments are often
targeted in redundancy plans of local companies reflects corporations' cavalier
disregard for cyber security.
The government has been keen to promote innovation and technology, but
Hong Kong's law regarding technology and privacy is outdated. The European
Union's new General Data Protection Regulation stipulates that a company must
report any major data breach within 72 hours and the penalty for non-compliance
is up to 4% of a company's annual revenue worldwide. In contrast, Hong Kong's
Personal Data (Privacy) Ordinance does not require a company to report a data
breach, and disclosure is entirely voluntary. Corporations therefore do not
have an incentive to spend money on improving cyber security. The Personal Data
(Privacy) Ordinance was enacted 21 years ago. Many of its provisions are
already out of date and do not meet the needs of the cyber age. To prevent the
Office of the Privacy Commissioner for Personal Data from becoming a toothless
tiger, the government must amend the ordinance as soon as possible to
strengthen the reporting mechanism and introduce heavier penalties.
私隱外泄延宕通知 國泰愧對乘客市民
國泰航空與子公司港龍航空約940萬名乘客私隱資料遭「不當取覽」,是國際航空界歷來最嚴重乘客資料外泄事件。國泰未有盡速通知當局和市民,延宕近半年才公布,令人難以接受。本港私隱條例落後,不少企業對網絡安全警覺不足,政府有必要盡快修例引入嚴厲罰則,督促企業加強網絡保安,保障市民個人資料。
國泰是植根香港逾70年的大公司,網絡保安理應穩妥,今次事件已令所有曾經搭乘的市民難以安心,國泰管理層事後處理就更加糟糕。國泰由今年3月發現可疑迹象、5月確認出事,直至前晚才公布事件,市民一直蒙在鼓裏。
國泰解釋,由於調查工作需時,公司希望先弄清楚整件事,做好跟進配套安排,不想「製造無謂恐慌」。誠然,國泰很難僅僅因為今年3月發現資料出現「異動」,未弄清事態便急急拉響警報,可是也得尊重公眾知情權。5月份國泰確認有個人資料外泄,在大致掌握哪些乘客資料涉事後,便應該盡快通報,沒理由耽擱多月才發放消息。國泰表示未有證據顯示任何個人資料遭不當動用,不代表受影響市民可以安寢無憂。
香港對網絡安全意識甚低。由早前香港寬頻38萬客戶資料失竊,到今次國泰出事,均反映本港企業對網絡安全警覺不足,大公司表現未如理想,中小企情况更加令人憂心。去年國泰裁減資訊科技部門員工,有否影響公司網絡保安工作、埋下資料外泄禍根,暫難判斷,惟近年本地公司裁員,資訊科技保安部門往往是開刀對象,卻折射了企業對網絡安全掉以輕心的態度。
沒有留言:
張貼留言