Originally Posted by Hong Kong Dave

Surprising anyone would say this because it's not a judgement call at all. I can only assume this was the script from a Public Relations idiot, with zero knowledge of the law.
Under GDPR, if you have personal data on any EU residents, you have a duty to disclose a breach to the authorities within 72 hours, and to the affected persons "without undue delay".
While they did eventually notify the Hong Kong police cyber crime team, it was months after the event.
Even if the attack took place before the GDPR watershed on the 25th of May, the failure to notify within 72 hours was ongoing while the regulations were in force.
These are the facts.

It's now up to the EU whether they want to make an example of Cathay or not.