30 October 2018

Cathay Pacific data leak piques law firm's class action interest

Cathay Pacific's delayed disclosure of massive data breach attracts law firm handling BA data breach, says it is even 'more serious.'

The UK arm of America’s SPG Law is planning to seek compensation for passengers of Hong Kong airline carrier Cathay Pacific Airways through a class action overseas following the carrier’s massive data leak, and argues general data protection regulation (GDPR) will apply.

Delayed response

SPG Law, which has been working on the case of the recent British Airways data breach,  presents itself as a law firm which represents ‘thousands of individuals who have been harmed by the wrongdoing of corporate giants.’ The firm says Cathay Pacific customers have a case under new EU regulation, and seeks to claim up to £1,500 per person or possibly more based on individual cases. They said the breach, which affected 9.4 million customers, was ‘more serious’ than the British Airways’ data leak first announced in September. Some 430,000 payment card details had been disclosed, and the firm had launched a similar action for about 3,000 clients over that incident. Cathay Pacific has took its time on disclosing the breach. which was detected in March but not confirmed until early May. The compromised data included names, passport numbers, ID numbers, travel history and credit card numbers.

GDPR ‘will apply’

SPG Law posted a notice on their website that ‘you have a right to compensation from Cathay Pacific for this data leak under Article 82 of the European Union's GDPR. You can be compensated for inconvenience, distress and annoyance associated with the data leak.’ In a an e-mail to the South China Morning Post, SPG Law Tom Goodhead, explained the GDPR would be applicable to the Cathay case despite the regulation only coming into force on May 25, and ‘whilst the data breach may have been discovered in March, [customers were] not notified until after the coming into effect of the GDPR. The prevailing understanding of the GDPR is that it will apply in such circumstances.’ The firm expects clients primarily to come from Britain, mainland China, Hong Kong and the United States.