Cathay Pacific Airways has admitted it is in crisis over a data breach affecting 9.4 million passengers. The size of the hack and seven-month delay in revealing that sensitive information was stolen has caused widespread alarm among customers, lawmakers and regulators, and could lead to hefty fines overseas. There are obviously shortcomings in the company’s electronic security systems and a lack of understanding about the need to promptly tell when a breach occurs. But Hong Kong’s reputation has also been harmed, and the government has an obligation to strengthen legislation to ensure firms protect personal information and report in a timely manner when unauthorised access of data is discovered.

The airline’s officials denied lawmakers’ accusations that there had been a cover-up. Cathay chairman John Slosar pledged to improve IT security and training and to call in police sooner in future. He is saying what authorities and victims want to hear, but far too late; hacking and data breaches are as old as the internet and governments elsewhere have for years been warning and enacting laws to protect consumers. That Cathay and the Hong Kong government have been so lax would seem to highlight not concern, but ignorance.

Cathay is, after all, not the only company to get hacked. There are countless numbers of data breaches elsewhere in the world each day and only the uninformed would assume Hong Kong firms’ security is so good that they are immune. The truth is that the lack of regulations requiring the announcement of data breaches means that most of the time, we are none the wiser. Only when there is unusual activity involving credit cards and bank accounts or identification is used to access records do we realise something is amiss.