In a submission to Hong Kong’s parliament ahead of a hearing into its efforts to stem the tide, the airline said it first detected “suspicious activity” on its network in March and took “immediate action” to contain it.
However, this was followed by further attacks, “which were at their most intense in March, April and May” but continued thereafter as well.
Cathay drafted in external security experts and resources to stem the tide, but the attacks eventually became too much.
It wasn’t until late October though that Cathay established the full extend of the data breach, going public some six months after it initially became aware of the attack.
“The nature of this attack involved a number of complex systems that took significant time to analyse,” said the airline.
“An enormous amount of work was involved in the investigation, which was highly technical. The process by which the stolen data could be identified, processed, and linked to a specific passenger also contributed to the length of time involved between initial discovery and public disclosure.”
Passenger data stolen included names, nationalities, dates of birth, phone numbers, addresses, email addresses, passport and identity card numbers, frequent flyer memberships, customer service feedback and historic travel information.
Some 403 expired credit card numbers were also accessed, as well as 27 active credit card numbers. However, the three or four-digit CVV security codes were not compromised.
In its submission, Cathay said it wanted to be able to give each affected passenger a “single, accurate and meaningful notification” rather than an “overly broad and non-specific notice”.
The airline has also reiterated its apology to passengers for any concern caused.
“We take our responsibilities with respect to our passengers’ personal data very seriously and we acknowledge that there many lessons that we can and will learn from this event.”