Cathay Pacific – the Hong Kong-based airline that was co-founded by Australian Sydney de Kantzo in 1946 – revealed in a statement that it had uncovered “unauthorised access” to parts of its passenger data system. It did not state when the breach actually took place.
The breach is said to have affected up to 9.4 million of its customers globally, with the discovery made during “ongoing IT security processes”.
Cathay Pacific said the amount and type of data exposed varies from passenger to passenger, and can include a range of personal, financial and contact information such as names, nationalities, dates of birth, residential/postal and email addresses, phone numbers, passport numbers and frequent flier details.
Even past travel histories and customer reviews were potentially exposed by the breach.
In addition, it said 27 credit card numbers had been accessed, although the corresponding CVVs were not exposed. A further 403 expired credit card numbers were also hacked.
“We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures,” the carrier’s CEO, Rupert Hogg, said.
“We are in the process of contacting affected passengers using multiple communications channels and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”
Nick Lennon of security firm Mimecast said the breach is troubling because of “its scale and length of time taken to alert affected customers”.
“Once personal information is compromised, cybercriminals can implement highly targeted spear-phishing and social engineering attacks, often via impersonation emails against friends or business contacts. These impersonation attacks are now the easiest way for criminals to steal money and valuable data,” he said.
“Notified customers should change passwords as precaution and alert their employer’s IT security teams to help look out for attacks misusing their personal information.”
Cathay Pacific told My Business that it does not have a breakdown of the nationalities of passengers impacted by the breach.
A month earlier, Cathay Pacific made headlines after an embarrassing blunder led to one of its aircraft needing to be repainted.