Cathay Pacific has admitted that personal data on up to 9.4 million passengers, including their passport numbers, has been accessed by unauthorised personnel in the latest security screw-up to hit the airline industry.
British Airways hack: Infosec experts finger third-party scripts on payment pagesREAD MORE
The discovery that some of its information systems had been compromised was made amid routine "ongoing IT security processes", the company said. It added that the flight operations systems were entirely separate and there was zero impact on flight safety.
"We are very sorry for any concern this data security event may cause our passengers," said Cathay Pacific CEO Rupert Hogg. "We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures."
The unauthorised access was first suspected in March this year and following initial investigations, it was confirmed by May that data had been exposed.
Data accessed included passenger names; nationalities; dates of birth; phone numbers; email addresses; physical addresses; 860,000 passport numbers; 245,000 Hong Kong ID card numbers, frequent flyer programme membership numbers; customer service remarks; and historical travel data.
In and among the haul, some 403 expired credit card numbers were accessed, and 27 active credit card numbers were accessed – but with no CVV numbers, it assured the world. Cathay Pacific said the combination of data leaked "varies for each" passenger.
"We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves," said Hogg.
"We have no evidence that any personal data has been misused. No one's travel to loyalty profile was accessed in full, and no passwords were compromised."
Hong Kong cops have been alerted to the data breach and are themselves "notifying the relevant authorities", the airline said.
Anyone with concerns should head to the dedicated website for further advice and contact details.
"We want to reassure our passengers that we took and continue to take measures to enhance our IT security," said Hogg. "The safety and security of our passengers remains our top priority."
Only last month, British Airways confirmed it had suffered a data breach, with external scripts used on its payment systems fingered as the likely attack vector. ®