Post-breach, Cathay Pacific hit by group action by UK law firm

Hacking makes the money makes the world go round.

Post-breach, Cathay Pacific hit by group action by UK law firm

Fresh from launching a £500 million group action against British Airways after a serious security breach, UK law firm SPG Law has wasted no time responding to the announcement last week of a hack at Cathay Pacific which saw the personal data of 9.4 million Cathay Pacific passengers breached.

SPG Law is inviting customers of Cathay Pacific to visit its website at cathaydatabreach.com (they were obviously quick off the draw setting that up…)

Cathay claim

Sign up to our free newsletter.
Security news, advice, and tips.

What shocked many people about the Cathay Pacific data breach is the months and months it took for the company to announce publicly that it had suffered a data breach.

In its announcement last week of a “data security event”, the airline revealed that it had first detected “suspicious activity” on its network in March 2018 and confirmed that there had been unauthorized access to personal information in early May 2018.

That length of delay is clearly bad news for those passengers who had their names, nationalities, dates of birth, phone numbers, email addresses, addresses, passport numbers, identity card numbers, frequent flier membership numbers, customer service remarks, historical travel information, and (in some cases) credit card numbers accessed by hackers.

But never fear, SPG Law (and no doubt other law firms) are offering to apply some pressure on Cathay Pacific to cough up some compensation.

SPG Law, which is the newly-launched UK division of US law firm Sanders Phillips Grossman, estimates that each affected traveller may be able to claim thousands of dollars against Cathay Pacific, and notes that the airline may be failing to fulfil its requirements under GDPR by not offering any financial compensation for European individuals who suffer direct financial losses or non-material damage.

Group actions against hacked companies are a regular sight in the United States, but are relatively new here in the UK.

My hunch is that while big organisations continue to suffer serious security breaches, we’ll continue to see opportunistic law firms helping the public receive some compensation (and skimming off a tidy sum for themselves, of course).

Businesses may be well-minded to consider that fact when they dawdle for months over disclosing a data breach.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

One comment on “Post-breach, Cathay Pacific hit by group action by UK law firm”

  1. Jim

    I wonder if a law firm will go after Equifax and Curry's? Sign me up, providing they don't want any money first of course!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.