Hong Kong’s Cathay Pacific, one of the world's most renowned Asian airlines, has reported a serious data breach that saw the personal information of millions of customers accessed without authorisation.
The carrier confirmed the breach in a statement, saying “the passenger data of approximately 9.4 million people has been accessed” without authorisation and that it had contacted local police.
The types of personal data accessed by the intruders was extremely wide-ranging, according to Cathay’s statement, and included the following: “Names of passengers, their nationalities, dates of birth, telephone numbers, email, physical addresses, passport numbers, identity card numbers, frequent flyer programme membership numbers, customer service remarks and historical travel information.”
Approximately 860,000 passport numbers and 245,000 Hong Kong ID card numbers were stolen, the airline said, in addition to 403 expired credit cards and 27 credit cards with no CVV number. According to the airline, “The information accessed varies between passengers. No travel or loyalty profiles were accessed in full. No passwords were compromised.”
The statement was released in accordance with stock exchange rules, and reveals some troubling information regarding the timing of Cathay Pacific’s disclosure that will likely cause the brand significant issues. While transparency is welcomed by consumers, the airline said it “discovered suspicious activity” on its network as early as March this year.
Cathay Pacific then confirmed the breach, the statement reads, in early May. “Since that time, analysis of the data has continued in order to identify affected individuals and to determine whether the data at issue could be reconstructed,” the carrier said, to explain the delay in disclosure.
Questions are already being asked about the delay, with Hong Kong legislator Elizabeth Quat telling AFP it was “unacceptable”.
Cathay Pacific said it is now contacting affected passengers. The company’s share price tumbled more than 6% earlier today, and Hong Kong’s privacy commissioner for personal data “expressed serious concern” in a statement, urging the airline to “take remedial steps with details explained immediately”.