More than nine million people have had their personal information accessed as part of a huge Cathay Pacific data breach that the airline kept secret for more than six months.
The Hong Kong airline revealed this week that the personal data, including names, nationalities, phone numbers, addresses and passport numbers, of 9.4 million people had been exposed as part of a breach earlier this year.
Cathay Pacific reported that about 860,000 passport numbers had been accessed and 245,000 Hong Kong identity card numbers, along with 403 expired credit card numbers and 27 credit card numbers without the CVV number.
The more than nine million passengers impacted by the breach had a variety of this data accessed by the hackers.
In a statement, Cathay Pacific Airways chief executive officer Rupert Hogg said the company first identified “suspicious activity” in its network in March, and confirmed “unauthorised access to certain personal data” in early May.
But the company only informed those impacted by the breach, and the general public, this week, more than six months after it was detected.
Hogg said that after it was detected, the company took “immediate action to contain the event”.
“We are very sorry for any concern this data security event may cause our passengers,” Hogg said.
“We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.
“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves.”
The company has said that there is “no evidence that any personal data was misused” and that no travel or loyalty profiles had been accessed in full.
The IT system breached is separate from flight operations, the company said, and there is “no impact on flight safety”.
Cathay Pacific has now opened up a helpline for those impacted by the breach and referred the matter to police, while the Hong Kong privacy commissioner Stephen Wong Kai-yi has launched an investigation.
Wong Kai-yi criticised the company for not alerting the public of the breach earlier, saying that it “should have sent notifications as soon as suspicious activities were detected to seek solutions together”.
Under the EU’s new General Data Protection Regulation rules, companies are required to report a breach within three days, but the Cathay Pacific breach was discovered just before the scheme came into effect.
In a radio interview, Cathay Pacific chief customer and commercial officer Paul Loo Kar-pui said the company had not revealed the breach earlier to avoid “unnecessary panic”.
“We understand the sensitivity in handling this issue,” he said. “So we hope to do better preparation so our clients will know whether they are affected and how.”
There have been several data breaches involving major airlines this year, including a British Airways hack in September and a Delta Airlines incident in April, both which had several hundred thousand customers had data exposed.