Cathay Pacific Airways says the personal data of nearly 9.4 million passengers of its Cathay Pacific and Cathay Dragon airlines was hacked earlier this year.
The airline group said it had initially discovered suspicious activity on its network in March 2018 and investigations in early May confirmed that certain personal data had been accessed. It’s not clear why it took the carrier this long to make the information public.
Personal data accessed included: “Passenger name, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer programme membership number, customer service remarks and historical travel information,” according to Cathay.
Cathay also said 860,000 passport numbers and about 245,000 Hong Kong identity card numbers were accessed, along with 403 expired credit card numbers and 27 credit card numbers with no Card Verification Value (CVV).
Cathay chief executive Rupert Hogg apologised and said there was “no evidence” the information had been misused. It has notified the Hong Kong police and relevant authorities.
“Upon discovery, the company took immediate action to investigate and contain the event,” Hogg said. “The company has no evidence that any personal information has been misused. The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety.”
The company is in the process of contacting affected passengers with Hogg saying: “We have no evidence that any personal data has been misused. No one’s travel or loyalty profile was accessed in full, and no passwords were compromised.
“We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures,” he added.
The Cathay incident is the latest in a string of airline data breaches including last month when British Airways said hackers managed to breach its website and app, stealing data from many thousands of customers in the process.
Air Canada also said its app suffered a data breach in August, resulting in the suspected loss of thousands of its customers’ personal details. And in April, Delta Airlines said credit card details of thousands of customers were exposed following a cyber attack on a vendor.
Anyone who thinks they may have been affected can go to infosecurity.cathaypacific.com for more information.