Cathay Pacific Airways yesterday revealed that data of up to 9.4 million of its passengers had been accessed without authorisation.
The airline said it took immediate action to investigate and contain the event upon discovery, and there was no evidence that any personal information has been misused. The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety.
Cathay Pacific’s CEO Rupert Hogg said in a statement: “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.
He added that no evidence had been misused, no travel or loyalty profile was accessed in full, and no passwords were compromised.
The airline said the following personal data was accessed: passenger name, nationality, date of birth, phone number, email; address, passport number, identity card number, frequent flyer programme membership number, customer service remarks and historical travel information.
In addition, 403 expired credit card numbers were accessed. Twenty-seven credit card numbers with no CVV were accessed in the breach. The combination of data accessed varies for each affected passenger.
News of Cathay Pacific’s passenger data breach comes just a month after British Airways revealed that credit card details for over 380,000 customers were stolen.