Updated Nov 10, 2018, 4:03:12 PM
Metro Manila (CNN Philippines, November 10) — The National Privacy Commission (NPC) has ordered Cathay Pacific Airways to explain why it should not be prosecuted for failure to timely notify the government about a data breach that affected over 100,000 Filipinos months ago.
The NPC in an October 29 document released Saturday said it was only notified about the data leak October 25, when the Hong Kong airline already noted a suspicious activity in March and confirmed the hack in May.
"It is necessary to require Cathay to explain, in writing, why Cathay and its responsible officers should not be prosecuted under the provisions of the Data Privacy Act of 2012 for Concealment of Security Breaches Involving Sensitive Personal Information," the NPC said in its order.
This crime is punishable by a year and six months of imprisonment and a fine of up to P1 million.
The NPC wants Cathay Pacific to explain its belated notification within 10 days and provide further information on the measures taken to address the breach within five days. It is not immediately known if the airline already complied with the NPC's order.
Cathay Pacific, one of Asia's top airlines, said 102,209 Filipinos had their data compromised, and roughly 35,700 Philippine passports have been exposed, along with 144 credit card numbers. The airline earlier disclosed that the personal information of more than 9 million passengers may have been stolen.
READ: Cathay Pacific got hacked, compromising the data of millions of passengers
"Among those fields taken were passenger name, nationality, date of birth, phone number, e-mail, credit card number, address, passport number, identity card number, frequent flyer membership number, customer service remarks, and historical travel information," the NPC order read, citing Cathay Pacific data.
"No travel or loyalty profile was accessed in full, and no passwords were compromised," it added.