Number of passengers affected exceeds population of airline's home base of Hong Kong
Cathay Pacific data hack leaves 9.4 million passengers exposed and investors concerned
Cathay Pacific said a hacker has accessed the personal data of 9.4 million passengers but found no evidence that the information had been misused.
The Hong Kong-based airline, which made the revelation seven months after finding the data breach, discovered the unauthorised access as part of its ongoing IT security processes, it said in a statement. While passports, addresses, emails and identity card numbers were accessed, there was no impact on flight safety.
"We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures," Rupert Hogg, Cathay Pacific's chief executive, said in a statement, without revealing who was behind the hack.
The data breach comes in the midst of a turnaround at Cathay Pacific as it tries to reverse two consecutive annual losses and compete against rivals from the Middle East by cutting costs and increasing revenues. The hack, which affected more people than the population of the airlines Hong Kong hub, dwarfs data breaches reported by British Airways and Delta Air Lines this year.
Cathay Pacific's shares slumped almost 7 per cent to a nine-year low on Thursday.
Hong Kong's Privacy Commissioner for Personal Data, Stephen Kai-yi Wong, expressed serious concern over the data breach and urged the airline to notify the affected passengers immediately.
The airline discovered suspicious activity on its network in March and an investigation confirmed the unauthorized access of some personal data in May, it said.
Cathay Pacific said the data stolen includes: passenger names, nationalities, date of birth, phone numbers, email addresses, physical addresses, passport and identity card numbers and frequent flyer programme membership numbers, among other information. Additionally, hackers accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value.
The airline is contacting affected passengers and notified the Hong Kong Police and other relevant authorities, it said.
Mimecast, a London-based cloud security services provider, said notified customers should change their passwords as compromised personal data could lead to highly-targeted attacks.
"The Cathay Pacific breach is very concerning in terms of its scale and length of time taken to alert affected customers," said Steve Malone, director of security product management at Mimecast.
Last month British Airways, a partner of Cathay Pacific in the Oneworld alliance of global airlines, apologised after a two-week hack of its system in August and September resulted in the theft of 380,000 customers' credit-card data.