HK’s Cathay Pacific faces first collective legal action over massive data breach, with 200 customers poised to make claims

31-Oct-2018 Intellasia | South China Morning Post | 6:00 AM Print This Post

Cathay Pacific Airways is facing its first collective legal action in the wake of a massive data breach after about 200 customers expressed their intention to make claims over the leak, the Post has learned.

Hong Kong’s flagship carrier is also under tight scrutiny by the local government, with acting chief executive Matthew Cheung Kin-chung threatening on Tuesday to punish the airline if it failed to cooperate with the city’s privacy watchdog.

Cathay Pacific divulged last Wednesday that in what the privacy commission described as Hong Kong’s largest scale of data leak so far personal details belonging to 9.4 million customers had been illegally accessed. The revelation came months after the breach was discovered in March and confirmed in early May.

Cheung, who spoke before chairing Tuesday’s Executive Council meeting on behalf of Chief Executive Carrie Lam Cheng Yuet-ngor, said the government was highly concerned about the breach.

“If Cathay Pacific is not cooperative, the [privacy] commissioner is entitled to take legal action under the ordinance, which carries penalties,” he said. “[Cathay] has to obey the instructions and fully cooperate with our investigation.”

On Monday, Privacy Commissioner Stephen Wong Kai-yi accused the airline of ignoring the watchdog’s request for information six days after the leak was made public.

Cheung said both the Office of the Privacy Commissioner for Personal Data and the police force had looked into the matter, and time should be allowed for the investigation at this stage.

A Cathay Pacific spokeswoman said the airline had notified police and the privacy commissioner’s office about the incident.

“We are cooperating and will continue to cooperate with the authorities in their investigation,” she said.

Following a police search for evidence at Cathay Pacific’s headquarters in Chek Lap Kok on Monday, the Post learned that about 200 customers had expressed their intention to make a claim against the airline.

“They are mainly from Hong Kong, some from mainland China and some from the United Kingdom,” Tom Goodhead, a partner and barrister at SPG Law, said in an email reply to questions from the Post.

The law firm set up a compensation website on October 25 after Cathay Pacific disclosed that data from 9.4 million passengers had been leaked, including names, passport numbers, ID numbers, travel history and credit card numbers.

Goodhead earlier told the Post that the firm would file “multiple, separate actions and then seek to reach settlement with Cathay”.

The group action planned in Britain would be restricted to European Union residents. On the website, the firm said the claimants had a right to compensation from Cathay Pacific for the data leak under Article 82 of the European Union general Data Protection Regulation (GDPR).

For other claimants, like those in Hong Kong and mainland China, Goodhead said the firm would file separately in the Netherlands, which “provides a mechanism [by which a] stichting, or a foundation, can represent claimants worldwide on a class action basis”.

He said the relevant Dutch law, WCAM also called the Collective Settlement procedure had been used in a number of high-profile transnational cases.

The law firm is seeking to claim up to UK pound 1,500 (HK$15,000) for each person and possibly more based on individual cases.

Legal experts in Hong Kong questioned if the overseas collective action would mean a better chance for local residents to seek compensation from the airline.

Cathay Pacific declined to comment on the collective legal action.


Category: Hong Kong

Print This Post

Comments are closed.