Cathay Pacific has revealed personal data belonging to nearly 10 million of its passengers has been compromised.
The airline said on Wednesday (October 24) during a review of its security processes, it discovered evidence of “unauthorised access” to information systems containing passenger data relating to up to 9.4 million people.
Data compromised by the hack includes names, nationalities, dates of birth, phone numbers, addresses, email addresses, passport and identity card numbers, frequent flyer memberships, customer service feedback and historic travel information.
In addition, 403 expired credit card numbers were accessed, as well as 27 active credit card numbers. However, the three or four-digit CVV security codes were not compromised.
Cathay said the combination of data compromised varied from passenger to passenger. Reuters further reports, in total, 860,000 passport numbers were accessed and 245,000 Hong Kong ID card numbers.
“Upon discovery, the company took immediate action to investigate and contain the event,” said the airline in a statement. “The company has no evidence that any personal information has been misused. The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety.”
The airline has alerted police in Hong Kong, where it is based, and notified other relevant authorities.
Rupert Hogg, Cathay Pacific chief executive, said: “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event [and] commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.
“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”
According to Reuters, the company said it discovered suspicious activity on its network in March 2018 and investigations in early May confirmed personal data had been accessed.
Paul Loo, Cathay’s chief customer and commercial officer, defended the time taken to alert affected passengers, telling Hong Kong broadcaster RTHK the airline didn’t want to create “an unnecessary scare”.